Snort mailing list archives
Re: How snort handles several copies of the same packet?
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 24 Oct 2012 09:49:27 -0400
On Oct 24, 2012, at 4:48 AM, elof () sentor se wrote:
I know that snort only generates ONE alert even if the mirrored traffic
see the same packet twice or more:
...like before and after a router:
x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 60
y:y:y:y:y:y z:z:z:z:z:z 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 59
^^^^^^^^^^^^^^^^^^^^^^^ ^^
...or tcp retransmissions:
x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 60
x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3334, TTL 60
x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3335, TTL 60
^^^^
...or two *exact* duplicates of every packet due to faulty SPAN:
x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 60
x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 60
Only having one alert in the above cases is really nice, but I wonder:
Can someone describe how this is done and what is happening in snort, both
on the individual packet level, and in stream5?
How does snort detect and filter out these "duplicates"?
Which packets are disregarded and which are kept?
Everything is analyzed independently. I've seen the problem commonly at many sites. Filtering out the duplicate traffic on a span is important for optimum performance. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How snort handles several copies of the same packet? elof (Oct 24)
- Re: How snort handles several copies of the same packet? Joel Esler (Oct 24)
- Re: How snort handles several copies of the same packet? elof (Oct 24)
- Re: How snort handles several copies of the same packet? Joel Esler (Oct 24)
- Re: How snort handles several copies of the same packet? elof (Oct 24)
- Re: How snort handles several copies of the same packet? Russ Combs (Oct 24)
- Re: [Snort-users] How snort handles several copies of the same packet? elof (Oct 26)
- Re: [Snort-users] How snort handles several copies of the same packet? Russ Combs (Oct 26)
- Re: How snort handles several copies of the same packet? elof (Oct 24)
- Re: How snort handles several copies of the same packet? Joel Esler (Oct 24)