Re: Question about "stream5: TCP 4-way handshake detected"

[wkitty42 () windstream net]

On 11/01/2017 11:22 AM, agustin larrarte via Snort-users wrote:
> Hi,
>
> I would like to ask for advice on this alert. We are receiving many alerts from 
> one unique ip address on our environment for this event. We have been looking 
> for documentation or aid online trying to figure out what this alert event means 
> but we can't find anything snort related. Is this related to the 4 way TCP close 
> connection handshake?  why is this alert being triggered?


129:13 is, indeed, the rule for announcing that a "TCP 4-way handshake has been 
detected"... not any specific part (close connection??) of it.. the whole 
handshake...

to find out more about what's going on, you need to capture those packets 
(wireshark, tcpdump, etc) and study the sessions... if it is legit traffic, then 
handle the rule in threshold.conf... if not, reconfigure the problematic 
system/software or otherwise clean it up if it is not legit for your network...


--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette