Snort mailing list archives
Re: Any issues with dup packets on snort?
From: <barryab63-ia () yahoo com>
Date: Wed, 30 Nov 2005 00:11:40 -0800 (PST)
barryab63-ia () yahoo com wrote: Date: Wed, 30 Nov 2005 00:09:31 -0800 (PST) From: <barryab63-ia () yahoo com> Subject: Re: [Snort-users] Any issues with dup packets on snort? To: Jason Haar <Jason.Haar () trimble co nz> I think we'd need a little more information on this one. Can you give us an example of how the switch monitoring ports of feeding the snort interface. Depending on the setup this could be normal. I'd try to avoid it because it's just more data you have to wade through. But, depending on your setup it might be unavoidable. Barry Jason Haar <Jason.Haar () trimble co nz> wrote: Hi there We have a range of switches being used within our network for port monitoring, and a couple have had to be set up in such a way that you can end up seeing each packet TWICE on the snort interface. I've been told by our network engineers that this has to be the case in order for the IDS to see the networks it needs to on one card. i.e. src-ip->dst-ip SYN dst-ip->src-ip SYN-ACK actually looks like src-ip->dst-ip SYN src-ip->dst-ip SYN dst-ip->src-ip SYN-ACK dst-ip->src-ip SYN-ACK Anyway, I have no problem with that, and snort "seems" to be happy too. Can someone confirm that duplicate packets aren't a problem? That worst-case should be duplicate alerts? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Any issues with dup packets on snort? Jason Haar (Nov 29)
- Re: Any issues with dup packets on snort? G Ramon Gomez (Nov 30)
- <Possible follow-ups>
- Re: Any issues with dup packets on snort? barryab63-ia (Nov 30)
- Re: Any issues with dup packets on snort? Richard Bejtlich (Nov 30)
- Re: Any issues with dup packets on snort? Jason Haar (Nov 30)