[Snort-users] stream5 tcp session without 3-say handshake overload

Robert Millott robm at ...16885...
Tue Aug 12 16:08:19 EDT 2014


All
  I am getting so many alerts in my logs it fill up /var/log/message and
shut down snort.  The alert I see most is

stream5: TCP session without 3-way handshake.

I googled it, and everything I find on the "Check_session_hijacking" says
"The default is set to off".  I am not sure why I am getting all these
alert if the default is to off, but more importantly, how do I actually
disable it?
  I am fairly sure I know why I am getting them, and that will take a
longer time to fix, so I just need to disable this alert.  My snort.conf
does not have anything about session_hijacking in it, so I"m not sure If I
just need to add a line to disable it or what.

Details:
Gentoo 3.14.4
Snort 2.9.6.0 GRE (build 47)
Barnyard: 2.1.13 (build 327)
snort is outputting to /var/log/snort.u2 which barnyard is reading and
writing to /var/log/messages
snort.conf:  output unified2: filename snort1.u2, limit 128
barnyard.conf :  output log_syslog_full: sensor_name xxxxxxx, local,
log_priority log_alert, operation_mode default

Any help would be greatly appreciated

-- 
Robert Millott
President, Millott and Associates
(443) 255-3588
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140812/867ea11d/attachment.html>


More information about the Snort-users mailing list