Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Suspcious Traffic Seen By Multiple Sensing Interfaces

Is there any documentation that explains the anticipated behavior with a sensor that has the same suspicious traffic pass by (promiscuous) or through (in-line) interfaces on the same sensor?

The new Cisco IPS course materials has one short note: If the same traffic enters the sensor on multiple interfaces, you may experience difficulties. The sensor may generate duplicate alerts for non-TCP traffic. For TCP traffic, you may get many 13xx alerts or TCP stream collisons resulting in no alert.

I'm working with a sensor in the lab with one in-line pair and one promiscuous interface each protecting a separate network. If traffic travels from one of the protected networks to the other I sometimes get duplicate alerts, and sometimes I don't. But it isn't based on TCP vs non-TCP traffic. I'm seeing double alerts for regex based TCP signatures. Scans seem to only generate a single alert.

Thanks for any info or pointers to info.

KEP

1 REPLY
Silver

Re: Suspcious Traffic Seen By Multiple Sensing Interfaces

When the same traffic hits multiple sensing interfaces, the sensor sometimes generate duplicate alerts. This is normal.

130
Views
0
Helpful
1
Replies
CreatePlease to create content