Hi! Should I worry, the Fortigate device produces hundreds of email warnings about Syncthing? It's Open Source peer-to-peer file synchronization software. In the log messages of that detection, I see my own IP addresses. I use Syncthing to synchronize and backup my data. Is there any way to stop Intrusion Detection alerting about Syncthing only?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Can you post the entire security log? Depends on the attack vector. Most likely it's a benign anomaly that we can exclude but let's make sure before moving forward...
Created on 09-21-2022 01:03 AM Edited on 09-21-2022 01:04 AM
I'm trying to post log, but it vanishes after page refresh.
Message meets Alert condition
The following intrusion was observed: TCP.Split.Handshake.
date=2022-09-20 time=18:21:56 devname=xxxx devid=FG100Fxxxxxx eventtime=1663687316097382582 tz="+0300" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="medium" srcip=10.1.1.14 srccountry="Reserved" dstip=xx.xxx.xxx.xxx dstcountry="Ukraine" srcintf="VLAN0010" srcintfrole="lan" dstintf="port13" dstintfrole="wan" sessionid=288131202 action="detected" proto=6 service="tcp/22000" policyid=1 poluuid="486f3e06-ae54-51eb-39f1-f318f6c2e4ea" policytype="policy" attack="TCP.Split.Handshake" srcport=22000 dstport=22000 direction="outgoing" attackid=26339 profile="default" ref="hxxp://www.fortinet.com/ids/VID26339" incidentserialno=245276736 msg="a-ipdf: TCP.Split.Handshake, TCP split handshake at state: ESTABLISHED" crscore=10 craction=16384 crlevel="medium"
Alright looks like it's originiating from your network. MOst likely not an attack and just the way in which this device initiates TCP connections. Refer to the link in the log message for more info. There's another link on that page with further info.
https://www.fortiguard.com/encyclopedia/ips/26339
To suppress these messages you could create a custom IPS profile for this traffic direction that excludes the TCP.Split.Handshake signature from logging.
But I don't know how to properly configure the custom IPS profile.
The documentation explains how to do it: https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/213498/signature-based-defen...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.