TCP data changed
advICE :Intrusions : 2000320

Summary

An overlap in new TCP data with queued data has been observed, and the overlapping data has changed between the two packets.

Details

This technique is used by advanced hackers to hijack connections. They utilize IP spoofing and sequence number guessing to intercept a user's connection and inject their own data into the connection. If successful, the hacker can gain control of a system.

False Positives

This is may be a false positive. The intrusion is triggered if the TCP data has changed within two frames. In theory, this should never happen. However, some recent TCP implementations (Win 2000 and some Unix implementations) send "status" information after a RESET within the data part of the frame. This condition, which results in a false detection, has been addresed in the 3.0 release of BlackICE.

configuration for this item tr> tcp.comparedata on/off enables or disables the comparison logic; this option is on by default tcp.favornewdata on/off if on, new data is favored over old data; this option is off by default

 
Version appeared: 2.5