[Snort-users] Logging retransmitted pkts.

Matt Kettler mkettler at ...4108...
Tue Feb 1 13:20:19 EST 2005


At 09:33 PM 1/31/2005, Mike Mestnik wrote:
>I see this as being one more field in the connection tble for the current
>end of the window.  If we see data less then this number it's old data
>being sent again.

True.. As I said, you might be able to hack snort's stream4 to do this.

However, since it has nothing to do with intrusion detection, it really has 
nothing to do with Snort's purpose in life. Hence, it's a waste of memory 
and CPU time for Snort to check for this, no matter how small the overhead.

Don't get me wrong in thinking I'm staying such a patch is useless. It 
would be useful for network analysis and monitoring, but it's not useful to 
an IDS.

I think the main reason such a tool does not exist is visible when you look 
at the market of existing products:

I know of no sniffers other than IDS's maintain any sort of state table at 
all. tcpdump, etherreal, etc are stateless. Thus, plain "packet dump" tools 
can't do this. They are trying to be fast and easily readable, nothing more.

Many IDS's are stateful, but are focused on a completely different mission 
and need to be tuned to be as fast as possible for that mission. Thus IDS's 
won't do this because it slightly hurts their performance and offers no 
benefit in terms of their actual purpose.

I don't know of any "stateful network performance analysis" products, which 
is where such a tool as you describe would fit. Perhaps there is such a 
tool out there, but it's not within my knowledge.







More information about the Snort-users mailing list