[Snort-users] snot processes packets twice?

Russ Combs rcombs at ...1935...
Thu Jun 28 09:23:51 EDT 2012


Glad you got it working.  Thanks for following up with the resolution.

On Wed, Jun 27, 2012 at 11:11 PM, <jorbru30 at ...5068...> wrote:

> Hi Rmkml, Russ,
>
>
>
> I think I resolved the issue after a number of trials. The issue was with
> my deployment. I was routing the traffic instead of switching.
>
>
>
> Here is a more elaborate description of my deployment.
>
> A <-> eth0(192.168.100.1)<.->eth1(192.168.200.1)<->B
>
> A generates HTTP traffic and routes it to eth0 (A gateway is eth0)
>
> B responds to HTTP requests through its gateway eth1.
>
> Snort runs on Ubuntu box and has eth0 and eth1 as its incoming and
> outgoing interfaces.
>
>
>
> When I changed my deployment to switching instead of routing traffic,
> it works perfectly. Th packets that snort processes are exactly what is
> transmitted through the snort box.
>
>
>
> In my old setup, it looks received and transmitted packets are seen as
> different by snort as it packets are modified when routed.
>
>
>
> Thank you!!!
>
>
>
> Jorda.
>
> ------------------------------
>
> *From: *"rmkml" <rmkml at ...1855...>
> *To: *jorbru30 at ...5068...
> *Cc: *"Russ Combs" <rcombs at ...1935...>,
> snort-users at lists.sourceforge.net, rmkml at ...1855...
> *Sent: *Wednesday, June 27, 2012 3:59:39 PM
>
> *Subject: *Re: [Snort-users] snot processes packets twice?
>
> Hi,
> Can you try with last snort stable v2.9.2.3 and daq v0.6.2 ?
> or latest snort release candidate (v2.9.3_rc) and daq v1.1.1 ?
> Can you run daq dump ?
> Regards
> Rmkml
>
>
>
> On Wed, 27 Jun 2012, jorbru30 at ...5068... wrote:
>
> > Thank you Russ for the tip.
> > I checked for any bridge but there is none.
> > mysnort at ...424...:~/pcaps$ brctl show
> > bridge name bridge id  STP enabled interfaces
> > I captured pcaps at eth0 and eth1 and each show about 25,000 packets.
> > I also added a print statement prior to "ProcessPacket" in snort.c
> to verify snort is indeed inspecting duplicate packets. My findings is yes,
> it does inspect about 50,000 packets.
> > I am still trying to figure out why snort checks packets from both
> interface and how to fix the issue.
> > I appreciate any help.
> > Jorda.
> >
> >
> ____________________________________________________________________________________________________________________________________________________________________________________________________________________________
> >
> > From: "Russ Combs" <rcombs at ...1935...>
> > To: jorbru30 at ...5068...
> > Cc: snort-users at lists.sourceforge.net
> > Sent: Wednesday, June 27, 2012 10:56:47 AM
> > Subject: Re: [Snort-users] snot processes packets twice?
> >
> > Not sure why you are seeing double; any chance you bridged eth0 and eth1?
> >
> > On Wed, Jun 27, 2012 at 1:18 AM, <jorbru30 at ...5068...> wrote:
> >
> >       Hi,
> >       I am running snort version 2.9.1 as IPS using the following
> command.
> >       /usr/local/snort/bin/snort --daq afpacket -i eth0:eth1 -Q
> --daq-dir=/usr/local/lib/daq -l /var/log/snort -c
> /usr/local/snort/etc/snort.conf
> >       I am sending packets from a traffic generator tool which acts as a
> sender and receiver.
> >             Traffic generator(TGS)<-> eth0 <->eth1 <-> Traffic
> generator(TGR)
> >       About 25,000 packets are seen at eth0 (packets sent from TGS and
> responses(mostly ack packets) from TGR).  The same set of packets are seen
> at eth1.
> >       After I stopped snort with ctr-c, snort displays ..."Snort
> processed 50531 packets".
> >       I was expecting snort to process incoming packets (packets from
> eth0 to eth1) and outgoing packets (packets from eth1 to eth0) which is
> about 25,000 but it processes double # of packets.
> >       Please help me understand why snort process packets twice.
> >       Thank you!
> >       Jorda.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120628/28040b5d/attachment.html>


More information about the Snort-users mailing list