Message meets Alert condition
The following intrusion was observed: TCP.Split.Handshake.
date=2018-10-23 time=18:00:56 devname=FG200D3916815028 devid=FG200D3916815028 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=medium srcip=23.234.39.77 srccountry="United States" dstip=172.16.10.38 srcintf="wan1" dstintf="port16" policyid=13 sessionid=71453405 action=detected proto=6 service="ca.vsign.in_http" attack="TCP.Split.Handshake" srcport=13633 dstport=8999 direction=outgoing attackid=26339 profile="all_default" ref="http://www.fortinet.com/ids/VID26339" incidentserialno=257015217 msg="a-ipdf: TCP.Split.Handshake, TCP split handshake at state: ESTABLISHED" crscore=10 crlevel=medium
What's your question?
Per the link, this is a protocol anomaly often used as an attack or for recon.
Per the log you posted you have it set to detect but not block.
You may want to update your IPS Security Profile to block anomalies like this.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.