[Snort-users] Question about "stream5: TCP 4-way handshake detected"

Victor Roemer viroemer at cisco.com
Wed Nov 1 13:45:26 EDT 2017

Fairly confident this alert is for the 4-way variant of the typical 
3-way handshake.

Like so

|a( syn ) b( ack ) b( syn ) a( ack ) |

however, several years ago, someone noticed some peculiar behavior where 
the the the initiating host (read client), upon receiving a syn response 
(not a syn+ack) would result in the the client sending a |syn+ack| back 
to the server; the handshake then tends to look like this:

|a( syn ) b( syn ) a( syn,ack ) b( ack ) |

Which at the time (probably still true), would cause many middleboxes on 
a network to reverse the tracking. E.g. now your firewall thinks your 
web browser is the server.


I googled a bit, found this which looks to be written by the same 
fellows https://nmap.org/misc/split-handshake.pdf

On 11/1/17 1:23 PM, wkitty42 at windstream.net wrote:
> On 11/01/2017 11:22 AM, agustin larrarte via Snort-users wrote:
>> Hi,
>> I would like to ask for advice on this alert. We are receiving many 
>> alerts from one unique ip address on our environment for this event. 
>> We have been looking for documentation or aid online trying to figure 
>> out what this alert event means but we can't find anything snort 
>> related. Is this related to the 4 way TCP close connection 
>> handshake?  why is this alert being triggered?
> 129:13 is, indeed, the rule for announcing that a "TCP 4-way handshake 
> has been detected"... not any specific part (close connection??) of 
> it.. the whole handshake...
> to find out more about what's going on, you need to capture those 
> packets (wireshark, tcpdump, etc) and study the sessions... if it is 
> legit traffic, then handle the rule in threshold.conf... if not, 
> reconfigure the problematic system/software or otherwise clean it up 
> if it is not legit for your network...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171101/628f2a24/attachment.html>

More information about the Snort-users mailing list