Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sceliphron
New Contributor II

Created on ‎09-20-2022 08:44 AM

Syncthing application and TCP.Split.Handshake

Hi! Should I worry, the Fortigate device produces hundreds of email warnings about Syncthing? It's Open Source peer-to-peer file synchronization software. In the log messages of that detection, I see my own IP addresses. I use Syncthing to synchronize and backup my data. Is there any way to stop Intrusion Detection alerting about Syncthing only?

Labels:
1347
0 Kudos
7 REPLIES 7
gfleming
Staff
Staff

Created on ‎09-20-2022 10:41 AM

Can you post the entire security log? Depends on the attack vector. Most likely it's a benign anomaly that we can exclude but let's make sure before moving forward...

Cheers,
Graham
1338
0 Kudos
sceliphron
New Contributor II
In response to gfleming

Created on ‎09-21-2022 01:03 AM Edited on ‎09-21-2022 01:04 AM

I'm trying to post log, but it vanishes after page refresh.

1319
0 Kudos
sceliphron
New Contributor II
In response to gfleming

Created on ‎09-21-2022 01:14 AM

syncthing.png

1309
0 Kudos
sceliphron
New Contributor II

Created on ‎09-21-2022 01:10 AM

Message meets Alert condition
The following intrusion was observed: TCP.Split.Handshake.
date=2022-09-20 time=18:21:56 devname=xxxx devid=FG100Fxxxxxx eventtime=1663687316097382582 tz="+0300" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="medium" srcip=10.1.1.14 srccountry="Reserved" dstip=xx.xxx.xxx.xxx dstcountry="Ukraine" srcintf="VLAN0010" srcintfrole="lan" dstintf="port13" dstintfrole="wan" sessionid=288131202 action="detected" proto=6 service="tcp/22000" policyid=1 poluuid="486f3e06-ae54-51eb-39f1-f318f6c2e4ea" policytype="policy" attack="TCP.Split.Handshake" srcport=22000 dstport=22000 direction="outgoing" attackid=26339 profile="default" ref="hxxp://www.fortinet.com/ids/VID26339" incidentserialno=245276736 msg="a-ipdf: TCP.Split.Handshake, TCP split handshake at state: ESTABLISHED" crscore=10 craction=16384 crlevel="medium"

1283
0 Kudos
gfleming
Staff
Staff

Created on ‎09-21-2022 08:34 AM

Alright looks like it's originiating from your network. MOst likely not an attack and just the way in which this device initiates TCP connections. Refer to the link in the log message for more info. There's another link on that page with further info.

https://www.fortiguard.com/encyclopedia/ips/26339

 

To suppress these messages you could create a custom IPS profile for this traffic direction that excludes the TCP.Split.Handshake signature from logging.

Cheers,
Graham
1299
sceliphron
New Contributor II
In response to gfleming

Created on ‎11-02-2022 06:53 AM

But I don't know how to properly configure the custom IPS profile.

1247
0 Kudos
gfleming
Staff
Staff
In response to sceliphron

Created on ‎11-02-2022 08:30 AM

The documentation explains how to do it: https://docs.fortinet.com/document/fortigate/7.2.2/administration-guide/213498/signature-based-defen...

Cheers,
Graham
1245
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.