Table of Contents

PFSense - Suricata - Alerts - SURICATA STREAM reassembly overlap with different data

TCP stream overlaps with different data.

Possible Man-on-the-Side attack.

Resending of different data in TCP streams is a way to attempt to evade the IDS/IPS.

In practice, an attacker may use packet injection to insert a TCP packet with a payload to be executed by the victim, such as an HTTP redirect to a malicious web site.

The TCP sequence number of this injected packet will typically be the same as that in the real HTTP response coming from the legitimate web server.

Thus, the end node will see two overlapping TCP segments with different application layer data.


Seen Against

209.85.230.248 IP Address Information
ISP 	Google LLC
Usage Type 	Data Center/Web Hosting/Transit
Hostname 	r2---sn-25ge7ns7.gvt1.com
Domain Name 	google.com 

Suppress

#SURICATA STREAM reassembly overlap with different data
suppress gen_id 1, sig_id 2210050