Snort mailing list archives
Re: TCP session without 3-way handshake - Snort 2.9.4.5
From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 16 May 2013 00:07:47 -0400
129:20 is generated when you configure stream5_tcp with require_3whs and detect_anomalies and you get traffic for a session without first seeing the client SYN. require_3whs is configured with a startup delay before this rule will fire. If you don't want those alerts, you can remove require_3whs or disable the rule. On Wed, May 15, 2013 at 11:09 PM, Greg Williams <gwillia5 () uccs edu> wrote:
What part of the TCP session is not making it? Is there any packet capture? Sounds like a SYN attack, but not really an attack if it’s just a few of them. Look at the ACKs and sequence numbers if you have those. They should provide a clue as to what is happening with the handshake. I’ll plan on updating my code in a few days and see if I get any hits on this too. I typically have 5000 hosts online at any given time so I should be able to see the same thing and run a packet capture. From: Nathan Page [mailto:nwpage () nathanpage com] Sent: Tuesday, May 14, 2013 7:37 AM To: snort-users () lists sourceforge net Subject: [Snort-users] TCP session without 3-way handshake - Snort 2.9.4.5 Can someone tell me were I can find more out about the ‘TCP session without 3-way handshake’ error. I am getting a lot of these. Thanks Nathan ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- TCP session without 3-way handshake - Snort 2.9.4.5 Nathan Page (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 waldo kitty (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Greg Williams (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Russ Combs (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 waldo kitty (May 16)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Russ Combs (May 17)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 waldo kitty (May 17)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Russ Combs (May 15)