- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Syncthing application and TCP.Split.Handshake
Hi! Should I worry, the Fortigate device produces hundreds of email warnings about Syncthing? It's Open Source peer-to-peer file synchronization software. In the log messages of that detection, I see my own IP addresses. I use Syncthing to synchronize and backup my data. Is there any way to stop Intrusion Detection alerting about Syncthing only?
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post the entire security log? Depends on the attack vector. Most likely it's a benign anomaly that we can exclude but let's make sure before moving forward...
Graham
Created on 09-21-2022 01:03 AM Edited on 09-21-2022 01:04 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to post log, but it vanishes after page refresh.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Message meets Alert condition
The following intrusion was observed: TCP.Split.Handshake.
date=2022-09-20 time=18:21:56 devname=xxxx devid=FG100Fxxxxxx eventtime=1663687316097382582 tz="+0300" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="medium" srcip=10.1.1.14 srccountry="Reserved" dstip=xx.xxx.xxx.xxx dstcountry="Ukraine" srcintf="VLAN0010" srcintfrole="lan" dstintf="port13" dstintfrole="wan" sessionid=288131202 action="detected" proto=6 service="tcp/22000" policyid=1 poluuid="486f3e06-ae54-51eb-39f1-f318f6c2e4ea" policytype="policy" attack="TCP.Split.Handshake" srcport=22000 dstport=22000 direction="outgoing" attackid=26339 profile="default" ref="hxxp://www.fortinet.com/ids/VID26339" incidentserialno=245276736 msg="a-ipdf: TCP.Split.Handshake, TCP split handshake at state: ESTABLISHED" crscore=10 craction=16384 crlevel="medium"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright looks like it's originiating from your network. MOst likely not an attack and just the way in which this device initiates TCP connections. Refer to the link in the log message for more info. There's another link on that page with further info.
https://www.fortiguard.com/encyclopedia/ips/26339
To suppress these messages you could create a custom IPS profile for this traffic direction that excludes the TCP.Split.Handshake signature from logging.
Graham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But I don't know how to properly configure the custom IPS profile.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The documentation explains how to do it: https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/213498/signature-based-defen...
Graham