This question is regarding SPAN port configuration and how Suricata handles duplicate packets.
In our setup Suricata is in IDS mode and connected to a SPAN port.
On the switch all ports are duplicated to this one SPAN port. We tested 2 configurations on the switch.
Configuration 1 (bidirectional):
port-mirroring 1 destination 1/1/24 enable port-mirroring 1 source 1/1/1-23 bidirectional enable
Configuration 2 (inport):
port-mirroring 1 destination 1/1/24 enable port-mirroring 1 source 1/1/1-23 inport enable
Suppose the switch has 24 ports. I would assume that while using configuration 1, we would see all packets twice. A packet will be duplicated when entering via one port and will be duplicated again while leaving on another port. That’s why I would propose to use configuration 2. However while switching from configuration 1 to configuration 2 some of the alerts that we were receiving stopped from happening.
- Is it wrong to assume that configuration 1 does not have any advantage over configuration 2 and should give the same alerts?
- How well does Suricata handle the duplicate packets in configuration 1 regarding protocol detection? Will you see for example 1 or 2 http sessions, what about dns, … ?
- How well does Suricata handle the duplicate packets in configuration 1 regarding alerting? Will every alert fire twice?