TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
We've updated this signature for improved accuracy in Network Sensor 7.0 (to be released in June). It will now be called TCP_Data_Changed. The signature fires when it sees TCP segments with overlapping data that does not match. Here's some follow-on info from the new help file: This signature detects discrepancies between overlapping TCP segments that have not yet been acknowledged by the destination. This may indicate malfunctioning network equipment or an attacker's attempt to evade an intrusion detection system. False positives Some TCP stacks implement a TCP window probe that consists of a single byte of data sent to the remote end using a sequence number that has previously been ACKed. Per RFC 793, the recipient, upon receipt of a sequence number outside of the current receive window, returns an ACK containing the correct sequence number. This ACK also contains the current window size, which fulfills the purpose of the TCP window probe. In order to avoid false positives in this situation, the IDS will not alert when differential data is seen, which precedes the currently acknowledged sequence number. If, however, the IDS has missed the last ACK from the destination due to a dropped packet or asymmetrical route, then an otherwise benign TCP window probe may trigger this signature. --Jordan ============================= Jordan Blake - [EMAIL PROTECTED] Product Manager Network Protection Solutions Internet Security Systems - The Power to Protect ============================= -----Original Message----- From: Norton, Jason [mailto:[EMAIL PROTECTED]] Sent: Monday, May 13, 2002 3:14 PM To: 'Kenneth Yip'; Fiona Campbell; York, Larry Cc: [EMAIL PROTECTED] Subject: RE: TCP_Overlap_Data TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- We also see quite a bit from cold fusion apps in the Web DMZ. -----Original Message----- From: Kenneth Yip [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 09, 2002 10:14 PM To: Fiona Campbell Cc: [EMAIL PROTECTED] Subject: Re: TCP_Overlap_Data TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- We see false positive for TCP_Overlap_Data commonly on traffic to/from busy website. On Thu, 9 May 2002, Fiona Campbell wrote: > > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! > ---------------------------------------------------------------------------- > > Hi > > We have RealSecure Network Sensor 6.0 and are seeing large numbers of > TCP_Overlap_Data events. The signature description says that there are no > false positives for this event and that they should never happen naturally > on a network, but have been observed in conjunction with malfuntioning > network equipment. With many of the events if I visit the site which is the > source I see more events occuring at the moment I enter the site. I have > been in contact with the source of some of the events and they have told me > that they do not have any malfunctioning network equipment but they believe > that use of an Internet VPN for conectivity to vendors can cause false > positives. > > Has anyone else heard this or knows of any false positives for > TCP_Overlap_Data? > > Thanks, > > _________________________________________________________________ > MSN Photos is the easiest way to share and print your photos: > http://photos.msn.com/support/worldwide.aspx > > >
