Re: Retransmited packets

[Jeremy Hewlett <jh () sourcefire com>]

On Mon, Apr 18, Hin wrote:
> I have observed a lot of retransmited packets on my network. Could
> it possiblely the reason why Snort record duplicate alerts? How does
> Snort works with retransmit packets? Any help would be appreciate

Yes, this could be the reason you are seeing duplicate alerts. Snort
will currently process duplicated (retransmitted) TCP packets twice.
If one packet triggers an alert, then the retransmitted one will also
trigger an alert.

This will be addressed in Stream5, but only with streams that are
being reassembled. We're not saving packet info on the other streams.


-------------------------------------------------------
This SF.Net email is sponsored by: New Crystal Reports XI.
Version 11 adds new functionality designed to reduce time involved in
creating, integrating, and deploying reporting solutions. Free runtime info,
new features, or free trial, at: http://www.businessobjects.com/devxi/728
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users