[Snort-users] How snort handles several copies of the same packet?

Joel Esler jesler at ...1935...
Wed Oct 24 09:49:27 EDT 2012


On Oct 24, 2012, at 4:48 AM, elof at ...6680... wrote:
> I know that snort only generates ONE alert even if the mirrored traffic 
> see the same packet twice or more:
> 
> ...like before and after a router:
> x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 60
> y:y:y:y:y:y z:z:z:z:z:z 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 59
> ^^^^^^^^^^^^^^^^^^^^^^^                                           ^^
> 
> ...or tcp retransmissions:
> x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 60
> x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3334, TTL 60
> x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3335, TTL 60
>                                                         ^^^^
> 
> ...or two *exact* duplicates of every packet due to faulty SPAN:
> x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 60
> x:x:x:x:x:x y:y:y:y:y:y 1.1.1.1:1234 -> 2.2.2.2:80 ipid 3333, TTL 60
> 
> 
> Only having one alert in the above cases is really nice, but I wonder:
> 
> Can someone describe how this is done and what is happening in snort, both 
> on the individual packet level, and in stream5?
> 
> How does snort detect and filter out these "duplicates"?
> Which packets are disregarded and which are kept?

Everything is analyzed independently.  I've seen the problem commonly at many sites.  Filtering out the duplicate traffic on a span is important for optimum performance.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121024/33f8d04b/attachment.html>


More information about the Snort-users mailing list