Snort mailing list archives

Re: TCP session without 3-way handshake - Snort 2.9.4.5

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 17 May 2013 13:03:02 -0400

On 5/17/2013 12:01, Russ Combs wrote:

On Thu, May 16, 2013 at 2:36 PM, waldo kitty<wkitty42 () windstream net>  wrote:

On 5/16/2013 00:07, Russ Combs wrote:

129:20 is generated when you configure stream5_tcp with require_3whs
and detect_anomalies and you get traffic for a session without first
seeing the client SYN.  require_3whs is configured with a startup
delay before this rule will fire.  If you don't want those alerts, you
can remove require_3whs or disable the rule.


is it possible that snort not seeing the initial SYN packet is caused by snort
having dropped packets for some reason?


Yes, drops can cause this as can starting Snort mid-session.


it does make sense and i really asked it for the benefit of others... especially 
those just getting started with snort... now the question is if they are reading 
all posts to the list ;) O:)

what would be the best and easiest way to determine this?


Without a capture, you can rule out drops only if you don't have any.
The start up delay for require_3whs is pretty much essential for live
traffic unless you disable the rule.


ahhh... ok... i was kind of expecting to see something about performance 
monitoring in which one might say how to determine how much traffic may be being 
dropped and what one might be able to do to alleviate well known bottlenecks ;)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

TCP session without 3-way handshake - Snort 2.9.4.5 Nathan Page (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 waldo kitty (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Greg Williams (May 15)
  - Re: TCP session without 3-way handshake - Snort 2.9.4.5 Russ Combs (May 15)
    - Re: TCP session without 3-way handshake - Snort 2.9.4.5 waldo kitty (May 16)
    - Re: TCP session without 3-way handshake - Snort 2.9.4.5 Russ Combs (May 17)
    - Re: TCP session without 3-way handshake - Snort 2.9.4.5 waldo kitty (May 17)