[Snort-users] Retransmited packets

Jeremy Hewlett jh at ...1935...
Mon Apr 18 14:04:11 EDT 2005


On Mon, Apr 18, Hin wrote:
> I have observed a lot of retransmited packets on my network. Could
> it possiblely the reason why Snort record duplicate alerts? How does
> Snort works with retransmit packets? Any help would be appreciate

Yes, this could be the reason you are seeing duplicate alerts. Snort
will currently process duplicated (retransmitted) TCP packets twice.
If one packet triggers an alert, then the retransmitted one will also
trigger an alert.

This will be addressed in Stream5, but only with streams that are
being reassembled. We're not saving packet info on the other streams.




More information about the Snort-users mailing list