Intrusion Prevention



This signature indicates detection of a TCP protocol anomaly of which a TCP packet containing a SACK option has a unusual short length.

Affected Products

Any host running TCP services


Protocol Anomaly: This is an anomaly which may also indicate attack attempts in some cases.

Recommended Actions

This indicates detection of traffic that does not comply with the protocol standard.
Monitor the traffic from that network for any suspicious activity.