[Snort-users] Question about "stream5: TCP 4-way handshake detected"
viroemer at cisco.com
Wed Nov 1 13:45:26 EDT 2017
Fairly confident this alert is for the 4-way variant of the typical
|a( syn ) b( ack ) b( syn ) a( ack ) |
however, several years ago, someone noticed some peculiar behavior where
the the the initiating host (read client), upon receiving a syn response
(not a syn+ack) would result in the the client sending a |syn+ack| back
to the server; the handshake then tends to look like this:
|a( syn ) b( syn ) a( syn,ack ) b( ack ) |
Which at the time (probably still true), would cause many middleboxes on
a network to reverse the tracking. E.g. now your firewall thinks your
web browser is the server.
I googled a bit, found this which looks to be written by the same
On 11/1/17 1:23 PM, wkitty42 at windstream.net wrote:
> On 11/01/2017 11:22 AM, agustin larrarte via Snort-users wrote:
>> I would like to ask for advice on this alert. We are receiving many
>> alerts from one unique ip address on our environment for this event.
>> We have been looking for documentation or aid online trying to figure
>> out what this alert event means but we can't find anything snort
>> related. Is this related to the 4 way TCP close connection
>> handshake? why is this alert being triggered?
> 129:13 is, indeed, the rule for announcing that a "TCP 4-way handshake
> has been detected"... not any specific part (close connection??) of
> it.. the whole handshake...
> to find out more about what's going on, you need to capture those
> packets (wireshark, tcpdump, etc) and study the sessions... if it is
> legit traffic, then handle the rule in threshold.conf... if not,
> reconfigure the problematic system/software or otherwise clean it up
> if it is not legit for your network...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users