What is Removed the urgent flag and pointer in TCP header? What should I do about it?

Question

Hi, 
 I am very new to firewalls in general. 
 For the last couple of days, I have been getting "Removed the urgent flag and pointer in TCP header" notifications on the network attacks 
 It targets our web server on DMZ. 
 
 What does this mean? Is there something I need to do? what would be my due diligence and best practices? 
 Thank you for your time.

Erick Jan · Accepted Answer

Hi, 
 Thank you for reaching out to Sophos Community. 
 The log entry "Removed the urgent flag and pointer in TCP header" is generated by the TCP normalization feature of your Sophos Firewall. It occurs when the firewall detects and modifies TCP packets with the URG (urgent) flag set, which can be used in certain types of attacks (e.g., Urgent Pointer exploits or TCP stream injection). It can also occur due to non-malicious behavior, such as legacy or misconfigured applications using deprecated TCP urgent flags. 
 Potential Threats: 
 
 Possible TCP Urgent Pointer exploits or reconnaissance attempts. 
 It could be false positives from legacy applications or misconfiguration 
 
 Related Settings: 
 
 DPI Engine: TCP normalization policy. 
 IPS Rules: TCP exploit detection. 
 Application Filter: Possible flag inspection. 
 
 Recommended Actions: 
 
 Review IPS Logs: Identify any triggered rules. 
 Packet Capture: Analyze traffic patterns. 
 Update IPS Patterns: Ensure rules are up-to-date. 
 Adjust TCP Normalization: Modify policies if traffic is legitimate.

What is Removed the urgent flag and pointer in TCP header? What should I do about it?

Top Replies