[Snort-users] Retransmited packets
jh at ...1935...
Mon Apr 18 14:04:11 EDT 2005
On Mon, Apr 18, Hin wrote:
> I have observed a lot of retransmited packets on my network. Could
> it possiblely the reason why Snort record duplicate alerts? How does
> Snort works with retransmit packets? Any help would be appreciate
Yes, this could be the reason you are seeing duplicate alerts. Snort
will currently process duplicated (retransmitted) TCP packets twice.
If one packet triggers an alert, then the retransmitted one will also
trigger an alert.
This will be addressed in Stream5, but only with streams that are
being reassembled. We're not saving packet info on the other streams.
More information about the Snort-users