Snort mailing list archives
Re: TCP session without 3-way handshake - Snort 2.9.4.5
From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 17 May 2013 12:01:58 -0400
On Thu, May 16, 2013 at 2:36 PM, waldo kitty <wkitty42 () windstream net> wrote:
On 5/16/2013 00:07, Russ Combs wrote:129:20 is generated when you configure stream5_tcp with require_3whs and detect_anomalies and you get traffic for a session without first seeing the client SYN. require_3whs is configured with a startup delay before this rule will fire. If you don't want those alerts, you can remove require_3whs or disable the rule.is it possible that snort not seeing the initial SYN packet is caused by snort having dropped packets for some reason?
Yes, drops can cause this as can starting Snort mid-session.
what would be the best and easiest way to determine this?
Without a capture, you can rule out drops only if you don't have any. The start up delay for require_3whs is pretty much essential for live traffic unless you disable the rule.
--
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- TCP session without 3-way handshake - Snort 2.9.4.5 Nathan Page (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 waldo kitty (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Greg Williams (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Russ Combs (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 waldo kitty (May 16)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Russ Combs (May 17)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 waldo kitty (May 17)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Russ Combs (May 15)