[kdepim-users] Snort "TCP session without 3-way handshake" warning
peter at prh.myzen.co.uk
Thu Apr 10 20:59:23 BST 2014
On Thursday 10 Apr 2014 16:51:50 Paul Sobey wrote:
> On Wednesday 09 Apr 2014 10:23:32 Peter Humphrey wrote:
> > I'm running KMail 4.11.5 on a Gentoo amd64 box. One of my accounts is a
> > POP3 connection to my LAN server. I installed snort on the server
> > yesterday, and now I get warnings like this in the snort alert log:
> > [**] [129:20:1] TCP session without 3-way handshake [**]
> > [Classification: Potentially Bad Traffic] [Priority: 2]
> > 04/09-10:13:39.343914 192.168.0.6:49854 -> 192.168.0.2:22
> > TCP TTL:64 TOS:0x10 ID:37404 IpLen:20 DgmLen:104 DF
> > ***AP*** Seq: 0xF037D897 Ack: 0x8F8FE3C5 Win: 0x152 TcpLen: 32
> > TCP Options (3) => NOP NOP TS: 249552861 325460764
> > The IPs are this box, 192.168.0.6, and the server, 192.168.0.2, which is
> > running dovecot 2.2.9 to serve POP3 e-mails.
> > Do I need to set something in KMail, or is this a bug - or is snort being
> > too pernickety? I have nearly 5MB of logs from snort already.
> The fragment you cite above is to tcp/22 which is ssh, not pop3 (unless you
> have things configured differently than the norm).
So it is. KMail sets itself up to use STARTTLS for collecting mail from
dovecot on the server; I assume that's the reason.
> Without seeing more it's hard to be sure, but I wonder if your network card
> is doing some sort of tcp offload such that snort doesn't see the entire
> traffic stream? I've seen offload upset packet analysers a few times.
Now you mention it, I have seen something about commanding the card not to be
clever that way. I'll see if I can track it down.
Thanks for the idea.
KDE PIM users mailing list
Subscription management: https://mail.kde.org/mailman/listinfo/kdepim-users
More information about the kdepim-users