[kdepim-users] Snort "TCP session without 3-way handshake" warning

Peter Humphrey peter at prh.myzen.co.uk
Thu Apr 10 21:56:51 BST 2014


On Thursday 10 Apr 2014 20:59:23 Peter Humphrey wrote:
> On Thursday 10 Apr 2014 16:51:50 Paul Sobey wrote:
--->8
> > Without seeing more it's hard to be sure, but I wonder if your network
> > card
> > is doing some sort of tcp offload such that snort doesn't see the entire
> > traffic stream? I've seen offload upset packet analysers a few times.

It hadn't occurred to me to associate what I was seeing with that.

> Now you mention it, I have seen something about commanding the card not to
> be clever that way. I'll see if I can track it down.

It was in the snort manual.pdf. I just had to emerge sys-apps/ethtool and 
create /etc/local.d/gro-off.start with one line:

/usr/sbin/ethtool -K eth0 gro off

Now I get this instead:

# cat /var/log/snort/alert
[**] [142:1:1] (POP) Unknown POP3 command [**]
[Classification: Generic Protocol Command Decode] [Priority: 3] 
04/10-21:30:35.925720 192.168.0.6:45334 -> 192.168.0.2:110
TCP TTL:64 TOS:0x0 ID:47021 IpLen:20 DgmLen:299 DF
***AP*** Seq: 0x9D6A4A5E  Ack: 0x3C8C1B36  Win: 0xE5  TcpLen: 32
TCP Options (3) => NOP NOP TS: 376569443 20763012 

I can't see what the POP3 command is that it's complaining about. I googled 
and all I could find is that I have to add port 110 to the stream5 preprocessor 
ports command, but it's already in that list.

-- 
Regards
Peter

_______________________________________________
KDE PIM users mailing list
Subscription management: https://mail.kde.org/mailman/listinfo/kdepim-users



More information about the kdepim-users mailing list