[Snort-users] Question about "stream5: TCP 4-way handshake detected"

agustin larrarte thrudebian at gmail.com
Wed Nov 1 11:22:11 EDT 2017


Hi,

I would like to ask for advice on this alert. We are receiving many alerts
from one unique ip address on our environment for this event. We have been
looking for documentation or aid online trying to figure out what this
alert event means but we can't find anything snort related. Is this related
to the 4 way TCP close connection handshake?  why is this alert being
triggered?

here is a screenshot of snorby showing the alert:

[image: Inline image 1]


thank you, as always
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171101/ea5f924c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 120403 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171101/ea5f924c/attachment.png>


More information about the Snort-users mailing list