[Snort-users] How snort handles several copies of the same packet?

elof at ...6680... elof at ...6680...
Wed Oct 24 04:48:42 EDT 2012


I know that snort only generates ONE alert even if the mirrored traffic 
see the same packet twice or more:

...like before and after a router:
x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 60
y:y:y:y:y:y z:z:z:z:z:z 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 59
^^^^^^^^^^^^^^^^^^^^^^^                                           ^^

...or tcp retransmissions:
x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 60
x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3334, TTL 60
x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3335, TTL 60
                                                         ^^^^

...or two *exact* duplicates of every packet due to faulty SPAN:
x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 60
x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 60


Only having one alert in the above cases is really nice, but I wonder:

Can someone describe how this is done and what is happening in snort, both 
on the individual packet level, and in stream5?

How does snort detect and filter out these "duplicates"?
Which packets are disregarded and which are kept?

/Elof




More information about the Snort-users mailing list