[Snort-users] Alert explanations

Martin Roesch roesch at ...1935...
Wed Aug 11 13:40:06 EDT 2004


Those are anomaly notifications coming from Snort's preprocessors, 
they're pretty self explanatory.  "Possible retransmission" means that 
the stream reassembler thinks it has seen the packet before and is 
letting you know (this can be someone trying to evade the stream 
reassembler/IDS).  "Overlapping fragment" messages are from the IP 
defragmenter, it's telling you that it's seeing fragments that overlap 
which is another anomaly and a possible indication that someone is 
trying to evade your IDS.

We should probably go through and document all the events that can be 
generated by the preprocessors one of these days...

      -Marty


On Aug 8, 2004, at 10:39 PM, Sean Brown wrote:

> Over the past few days, I'm seeing a lot of 'Possible RETRANSMISSION
> detection' and 'Overlapping new fragment (probable fragroute)' showing 
> up. I
> looked for a good explanation of what might be going on, but nothing 
> really
> jumped out, so are there any good sites that I could go to to read up 
> on
> these things?
>
> Thanks
> -Sean Brown
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source 
> Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list