Snort mailing list archives
Re: TCP session without 3-way handshake - Snort 2.9.4.5
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 17 May 2013 13:03:02 -0400
On 5/17/2013 12:01, Russ Combs wrote:
On Thu, May 16, 2013 at 2:36 PM, waldo kitty<wkitty42 () windstream net> wrote:On 5/16/2013 00:07, Russ Combs wrote:129:20 is generated when you configure stream5_tcp with require_3whs and detect_anomalies and you get traffic for a session without first seeing the client SYN. require_3whs is configured with a startup delay before this rule will fire. If you don't want those alerts, you can remove require_3whs or disable the rule.is it possible that snort not seeing the initial SYN packet is caused by snort having dropped packets for some reason?Yes, drops can cause this as can starting Snort mid-session.
it does make sense and i really asked it for the benefit of others... especially those just getting started with snort... now the question is if they are reading all posts to the list ;) O:)
what would be the best and easiest way to determine this?Without a capture, you can rule out drops only if you don't have any. The start up delay for require_3whs is pretty much essential for live traffic unless you disable the rule.
ahhh... ok... i was kind of expecting to see something about performance monitoring in which one might say how to determine how much traffic may be being dropped and what one might be able to do to alleviate well known bottlenecks ;) -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- TCP session without 3-way handshake - Snort 2.9.4.5 Nathan Page (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 waldo kitty (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Greg Williams (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Russ Combs (May 15)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 waldo kitty (May 16)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Russ Combs (May 17)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 waldo kitty (May 17)
- Re: TCP session without 3-way handshake - Snort 2.9.4.5 Russ Combs (May 15)