I have a SPAN port receiving data from multiple VLANs on a switch. The SPAN port is connected to the sensing interface on a 4250 IDS sensor. I am seeing multiple copies of the same packets when I run snoop on the sensor. I am assuming that what I'm seeing is a packet traversing multiple VLANs.
My question - will the Cisco IDS create an alert for each identical packet, or does it have the smarts to recognize that these are multiple copies of the same packet, and create just one alert?
The atomic signatures will likely alert on each copy of the packet.
The stream based regex signatures may only fire one alarm because the stream reassembly code may throw out the duplicate packet.
Fragmented traffic may also only fire a single alarm because the fragmentation reassembly code may throw out the duplicate packet.
As for why you are getting duplicates:
What type of span are you using, and what type of switch are you using, and what is routing between the vlans?
If you are doing a both (tx+rx) span on a vlan, and both the source and destination ports are in the same vlan then you are getting duplicates even within the same vlan: once for the rx, and again for the tx.
Try using only rx span so you see the packets just when they enter the switch and not when they leave the switch.
If you are using a Cat 6000 with an MSFC doing the routing then try spanning rx on each port of each of the vlans being routed. This way you see the packets come in one vlan, instead of in on one vlan and out on the second vlan. (Note: the MSFC port in many cases doesn't act the same with span as the other physical ports of the switch. Packets being routed by the MSFC may be switched in hardware to increase routing performance, and never actually be sent to the MSFC port, so span won't see them as either rx or tx to the MSFC port.)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...