SPAN port configuration: duplicate packets

Hi,

This question is regarding SPAN port configuration and how Suricata handles duplicate packets.

In our setup Suricata is in IDS mode and connected to a SPAN port.
On the switch all ports are duplicated to this one SPAN port. We tested 2 configurations on the switch.

Configuration 1 (bidirectional):

port-mirroring 1 destination 1/1/24 enable
port-mirroring 1 source 1/1/1-23 bidirectional enable

Configuration 2 (inport):

port-mirroring 1 destination 1/1/24 enable
port-mirroring 1 source 1/1/1-23 inport enable

Suppose the switch has 24 ports. I would assume that while using configuration 1, we would see all packets twice. A packet will be duplicated when entering via one port and will be duplicated again while leaving on another port. That’s why I would propose to use configuration 2. However while switching from configuration 1 to configuration 2 some of the alerts that we were receiving stopped from happening.

  • Is it wrong to assume that configuration 1 does not have any advantage over configuration 2 and should give the same alerts?
  • How well does Suricata handle the duplicate packets in configuration 1 regarding protocol detection? Will you see for example 1 or 2 http sessions, what about dns, … ?
  • How well does Suricata handle the duplicate packets in configuration 1 regarding alerting? Will every alert fire twice?

Kind regards,
Bert

One reason for missing packets with the inport option could be that traffic in Port 10 that also goes out again on Port 10?

In general duplicate packets are no issue despite the unnecessary overhead for performance,

I would run tcpdump and try both options and look into the traffic, so you can ensure that you really see what you want to have.