Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nikhil_lavate87
New Contributor

TCP.Split.Handshake type alert

Message meets Alert condition

The following intrusion was observed: TCP.Split.Handshake.

date=2018-10-23 time=18:00:56 devname=FG200D3916815028 devid=FG200D3916815028 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=medium srcip=23.234.39.77 srccountry="United States" dstip=172.16.10.38 srcintf="wan1" dstintf="port16" policyid=13 sessionid=71453405 action=detected proto=6 service="ca.vsign.in_http" attack="TCP.Split.Handshake" srcport=13633 dstport=8999 direction=outgoing attackid=26339 profile="all_default" ref="http://www.fortinet.com/ids/VID26339" incidentserialno=257015217 msg="a-ipdf: TCP.Split.Handshake, TCP split handshake at state: ESTABLISHED" crscore=10 crlevel=medium  

1 REPLY 1
tanr
Valued Contributor II

What's your question? 

 

Per the link, this is a protocol anomaly often used as an attack or for recon.

Per the log you posted you have it set to detect but not block. 

 

 

You may want to update your IPS Security Profile to block anomalies like this.  

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors