[Snort-users] Question about "stream5: TCP 4-way handshake detected"

agustin larrarte thrudebian at gmail.com
Thu Nov 2 09:29:15 EDT 2017


thank you!

On Wed, Nov 1, 2017 at 2:45 PM, Victor Roemer via Snort-users <
snort-users at lists.snort.org> wrote:

> Fairly confident this alert is for the 4-way variant of the typical 3-way
> handshake.
>
> Like so
>
> a( syn )
> b( ack )
> b( syn )
> a( ack )
>
> however, several years ago, someone noticed some peculiar behavior where
> the the the initiating host (read client), upon receiving a syn response
> (not a syn+ack) would result in the the client sending a syn+ack back to
> the server; the handshake then tends to look like this:
>
> a( syn )
> b( syn )
> a( syn,ack )
> b( ack )
>
> Which at the time (probably still true), would cause many middleboxes on a
> network to reverse the tracking. E.g. now your firewall thinks your web
> browser is the server.
>> --
>
> I googled a bit, found this which looks to be written by the same fellows
> https://nmap.org/misc/split-handshake.pdf
>
>
> On 11/1/17 1:23 PM, wkitty42 at windstream.net wrote:
>
> On 11/01/2017 11:22 AM, agustin larrarte via Snort-users wrote:
>
> Hi,
>
> I would like to ask for advice on this alert. We are receiving many alerts
> from one unique ip address on our environment for this event. We have been
> looking for documentation or aid online trying to figure out what this
> alert event means but we can't find anything snort related. Is this related
> to the 4 way TCP close connection handshake?  why is this alert being
> triggered?
>
>
>
> 129:13 is, indeed, the rule for announcing that a "TCP 4-way handshake has
> been detected"... not any specific part (close connection??) of it.. the
> whole handshake...
>
> to find out more about what's going on, you need to capture those packets
> (wireshark, tcpdump, etc) and study the sessions... if it is legit traffic,
> then handle the rule in threshold.conf... if not, reconfigure the
> problematic system/software or otherwise clean it up if it is not legit for
> your network...
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171102/33b63dd2/attachment.html>


More information about the Snort-users mailing list