Hello!
Does anyone know why participating in a Webex meeting would trigger Snort.TCP.SACK.Option.DoS. alerts?
It's weird that whenever my colleagues in China use Webex meetings, the firewall sends such alerts. But colleagues in other countries had never triggered these alerts.
Message as below:
Message meets Alert condition
The following intrusion was observed: Snort.TCP.SACK.Option.DoS.
devid=FGT80ETK19013926 eventtime=1700546688481956986 tz="+0800" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="low" srcip=192.168.120.24 srccountry="Reserved" dstip=173.243.0.86 dstcountry="United States" srcintf="port1" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" sessionid=166589540 action="dropped" proto=6 service="SSL" policyid=23 attack="Snort.TCP.SACK.Option.DoS" srcport=32860 dstport=443 hostname="tsa.webex.com" url="/" direction="incoming" attackid=17562 profile="fw_prof_upg_strict" ref="http://www.fortinet.com/ids/VID17562" incidentserialno=94388018 msg="protocol_decoder: Snort.TCP.SACK.Option.DoS" crscore=5 craction=32768 crlevel="low"
I know how to whitelist these alerts, but I'm curious why they were triggered.
Thanks in advance!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi
According to https://www.fortiguard.com/encyclopedia/ips/17562 it seems that the SACK option is part of a small length TCP packet from the traffic coming from China.
If you can do an capture of the webex traffic from China and also from another country we could compare both to understand the differences (probably the length).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1672 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.