[kdepim-users] Snort "TCP session without 3-way handshake" warning

Paul Sobey buddha at the-annexe.net
Wed Apr 16 14:39:35 BST 2014

On Thursday 10 Apr 2014 21:56:51 Peter Humphrey wrote:
> On Thursday 10 Apr 2014 20:59:23 Peter Humphrey wrote:
> > On Thursday 10 Apr 2014 16:51:50 Paul Sobey wrote:
> --->8
> > > Without seeing more it's hard to be sure, but I wonder if your network
> > > card
> > > is doing some sort of tcp offload such that snort doesn't see the entire
> > > traffic stream? I've seen offload upset packet analysers a few times.
> It hadn't occurred to me to associate what I was seeing with that.
> > Now you mention it, I have seen something about commanding the card not to
> > be clever that way. I'll see if I can track it down.
> It was in the snort manual.pdf. I just had to emerge sys-apps/ethtool and
> create /etc/local.d/gro-off.start with one line:
> /usr/sbin/ethtool -K eth0 gro off
> Now I get this instead:
> # cat /var/log/snort/alert
> [**] [142:1:1] (POP) Unknown POP3 command [**]
> [Classification: Generic Protocol Command Decode] [Priority: 3]
> 04/10-21:30:35.925720 ->
> TCP TTL:64 TOS:0x0 ID:47021 IpLen:20 DgmLen:299 DF
> ***AP*** Seq: 0x9D6A4A5E  Ack: 0x3C8C1B36  Win: 0xE5  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 376569443 20763012
> I can't see what the POP3 command is that it's complaining about. I googled
> and all I could find is that I have to add port 110 to the stream5
> preprocessor ports command, but it's already in that list.

If you're doing POP3 over TLS then Snort just gets to see encrypted garbage, 
and can't do any POP3 inspection. I'd disable that rule completely. What are 
you trying to achieve with Snort? In general it requires a fair bit of tuning 
to cut out false positives. If you're only worried about internet facing 
threats you might consider cutting out traffic on your internal interface(s).
KDE PIM users mailing list
Subscription management: https://mail.kde.org/mailman/listinfo/kdepim-users

More information about the kdepim-users mailing list