Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
0
Helpful
1
Replies

Suspcious Traffic Seen By Multiple Sensing Interfaces

kurtpatzer
Level 1
Level 1

‎10-05-2005 05:30 PM - edited ‎03-10-2019 01:40 AM

Is there any documentation that explains the anticipated behavior with a sensor that has the same suspicious traffic pass by (promiscuous) or through (in-line) interfaces on the same sensor?

The new Cisco IPS course materials has one short note: If the same traffic enters the sensor on multiple interfaces, you may experience difficulties. The sensor may generate duplicate alerts for non-TCP traffic. For TCP traffic, you may get many 13xx alerts or TCP stream collisons resulting in no alert.

I'm working with a sensor in the lab with one in-line pair and one promiscuous interface each protecting a separate network. If traffic travels from one of the protected networks to the other I sometimes get duplicate alerts, and sometimes I don't. But it isn't based on TCP vs non-TCP traffic. I'm seeing double alerts for regex based TCP signatures. Scans seem to only generate a single alert.

Thanks for any info or pointers to info.

KEP

Labels:
0 Helpful
1 Reply 1

wong34539
Level 6
Level 6

‎10-11-2005 12:45 PM

When the same traffic hits multiple sensing interfaces, the sensor sometimes generate duplicate alerts. This is normal.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card