Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sceliphron
New Contributor II

Syncthing application and TCP.Split.Handshake

Hi! Should I worry, the Fortigate device produces hundreds of email warnings about Syncthing? It's Open Source peer-to-peer file synchronization software. In the log messages of that detection, I see my own IP addresses. I use Syncthing to synchronize and backup my data. Is there any way to stop Intrusion Detection alerting about Syncthing only?

7 REPLIES 7
gfleming
Staff
Staff

Can you post the entire security log? Depends on the attack vector. Most likely it's a benign anomaly that we can exclude but let's make sure before moving forward...

Cheers,
Graham
sceliphron
New Contributor II

I'm trying to post log, but it vanishes after page refresh.

sceliphron
New Contributor II

syncthing.png

sceliphron
New Contributor II

Message meets Alert condition
The following intrusion was observed: TCP.Split.Handshake.
date=2022-09-20 time=18:21:56 devname=xxxx devid=FG100Fxxxxxx eventtime=1663687316097382582 tz="+0300" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="medium" srcip=10.1.1.14 srccountry="Reserved" dstip=xx.xxx.xxx.xxx dstcountry="Ukraine" srcintf="VLAN0010" srcintfrole="lan" dstintf="port13" dstintfrole="wan" sessionid=288131202 action="detected" proto=6 service="tcp/22000" policyid=1 poluuid="486f3e06-ae54-51eb-39f1-f318f6c2e4ea" policytype="policy" attack="TCP.Split.Handshake" srcport=22000 dstport=22000 direction="outgoing" attackid=26339 profile="default" ref="hxxp://www.fortinet.com/ids/VID26339" incidentserialno=245276736 msg="a-ipdf: TCP.Split.Handshake, TCP split handshake at state: ESTABLISHED" crscore=10 craction=16384 crlevel="medium"

gfleming
Staff
Staff

Alright looks like it's originiating from your network. MOst likely not an attack and just the way in which this device initiates TCP connections. Refer to the link in the log message for more info. There's another link on that page with further info.

https://www.fortiguard.com/encyclopedia/ips/26339

 

To suppress these messages you could create a custom IPS profile for this traffic direction that excludes the TCP.Split.Handshake signature from logging.

Cheers,
Graham
sceliphron
New Contributor II

But I don't know how to properly configure the custom IPS profile.

gfleming