Re: TCP session without 3-way handshake - Snort 2.9.4.5

[Russ Combs <rcombs () sourcefire com>]

129:20 is generated when you configure stream5_tcp with require_3whs
and detect_anomalies and you get traffic for a session without first
seeing the client SYN.  require_3whs is configured with a startup
delay before this rule will fire.  If you don't want those alerts, you
can remove require_3whs or disable the rule.

On Wed, May 15, 2013 at 11:09 PM, Greg Williams <gwillia5 () uccs edu> wrote:
> What part of the TCP session is not making it?  Is there any packet capture?
> Sounds like a SYN attack, but not really an attack if it’s just a few of
> them.  Look at the ACKs and sequence numbers if you have those.  They should
> provide a clue as to what is happening with the handshake.  I’ll plan on
> updating my code in a few days and see if I get any hits on this too.  I
> typically have 5000 hosts online at any given time so I should be able to
> see the same thing and run a packet capture.
>
>
>
> From: Nathan Page [mailto:nwpage () nathanpage com]
> Sent: Tuesday, May 14, 2013 7:37 AM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] TCP session without 3-way handshake - Snort 2.9.4.5
>
>
>
> Can someone tell me were I can find more out about the ‘TCP session without
> 3-way handshake’ error. I am getting a lot of these.
>
>
>
> Thanks
>
>
>
> Nathan
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!