[Snort-users] Question about "stream5: TCP 4-way handshake detected"

wkitty42 at windstream.net wkitty42 at windstream.net
Wed Nov 1 13:23:38 EDT 2017

On 11/01/2017 11:22 AM, agustin larrarte via Snort-users wrote:
> Hi,
> I would like to ask for advice on this alert. We are receiving many alerts from 
> one unique ip address on our environment for this event. We have been looking 
> for documentation or aid online trying to figure out what this alert event means 
> but we can't find anything snort related. Is this related to the 4 way TCP close 
> connection handshake?  why is this alert being triggered?

129:13 is, indeed, the rule for announcing that a "TCP 4-way handshake has been 
detected"... not any specific part (close connection??) of it.. the whole 

to find out more about what's going on, you need to capture those packets 
(wireshark, tcpdump, etc) and study the sessions... if it is legit traffic, then 
handle the rule in threshold.conf... if not, reconfigure the problematic 
system/software or otherwise clean it up if it is not legit for your network...

  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*

More information about the Snort-users mailing list