Home page logo
/

snort logo Snort mailing list archives

Re: TCP session without 3-way handshake - Snort 2.9.4.5
From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 16 May 2013 00:07:47 -0400

129:20 is generated when you configure stream5_tcp with require_3whs
and detect_anomalies and you get traffic for a session without first
seeing the client SYN.  require_3whs is configured with a startup
delay before this rule will fire.  If you don't want those alerts, you
can remove require_3whs or disable the rule.

On Wed, May 15, 2013 at 11:09 PM, Greg Williams <gwillia5 () uccs edu> wrote:
What part of the TCP session is not making it?  Is there any packet capture?
Sounds like a SYN attack, but not really an attack if it’s just a few of
them.  Look at the ACKs and sequence numbers if you have those.  They should
provide a clue as to what is happening with the handshake.  I’ll plan on
updating my code in a few days and see if I get any hits on this too.  I
typically have 5000 hosts online at any given time so I should be able to
see the same thing and run a packet capture.



From: Nathan Page [mailto:nwpage () nathanpage com]
Sent: Tuesday, May 14, 2013 7:37 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] TCP session without 3-way handshake - Snort 2.9.4.5



Can someone tell me were I can find more out about the ‘TCP session without
3-way handshake’ error. I am getting a lot of these.



Thanks



Nathan


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]