[kdepim-users] Snort "TCP session without 3-way handshake" warning
peter at prh.myzen.co.uk
Thu Apr 10 21:56:51 BST 2014
On Thursday 10 Apr 2014 20:59:23 Peter Humphrey wrote:
> On Thursday 10 Apr 2014 16:51:50 Paul Sobey wrote:
> > Without seeing more it's hard to be sure, but I wonder if your network
> > card
> > is doing some sort of tcp offload such that snort doesn't see the entire
> > traffic stream? I've seen offload upset packet analysers a few times.
It hadn't occurred to me to associate what I was seeing with that.
> Now you mention it, I have seen something about commanding the card not to
> be clever that way. I'll see if I can track it down.
It was in the snort manual.pdf. I just had to emerge sys-apps/ethtool and
create /etc/local.d/gro-off.start with one line:
/usr/sbin/ethtool -K eth0 gro off
Now I get this instead:
# cat /var/log/snort/alert
[**] [142:1:1] (POP) Unknown POP3 command [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
04/10-21:30:35.925720 192.168.0.6:45334 -> 192.168.0.2:110
TCP TTL:64 TOS:0x0 ID:47021 IpLen:20 DgmLen:299 DF
***AP*** Seq: 0x9D6A4A5E Ack: 0x3C8C1B36 Win: 0xE5 TcpLen: 32
TCP Options (3) => NOP NOP TS: 376569443 20763012
I can't see what the POP3 command is that it's complaining about. I googled
and all I could find is that I have to add port 110 to the stream5 preprocessor
ports command, but it's already in that list.
KDE PIM users mailing list
Subscription management: https://mail.kde.org/mailman/listinfo/kdepim-users
More information about the kdepim-users