====== PFSense - Suricata - Alerts - SURICATA STREAM reassembly overlap with different data ======
TCP stream overlaps with different data.
Possible Man-on-the-Side attack.
Resending of different data in TCP streams is a way to attempt to evade the IDS/IPS.
In practice, an attacker may use packet injection to insert a TCP packet with a payload to be executed by the victim, such as an HTTP redirect to a malicious web site.
The TCP sequence number of this injected packet will typically be the same as that in the real HTTP response coming from the legitimate web server.
Thus, the end node will see two overlapping TCP segments with different application layer data.
----
===== Seen Against =====
209.85.230.248 IP Address Information
ISP Google LLC
Usage Type Data Center/Web Hosting/Transit
Hostname r2---sn-25ge7ns7.gvt1.com
Domain Name google.com
----
===== Suppress =====
#SURICATA STREAM reassembly overlap with different data
suppress gen_id 1, sig_id 2210050