SNORT and PAM

For Network IPS appliances, SNORT and PAM (Protocol Analysis Module) analyze the same data packets independently. Because of this design, unexpected behavior is possible from each system.

The appliance delivers a single queue of packets to PAM and to the integrated SNORT system. The appliance does not apply a processing order to the queue. The system that reaches the packet first, analyzes it first. If the first system alters the packet or responds to it, then the second system analyzes a modified packet or responds to a packet that was already responded to. The outcome of this relationship is that you might see unexpected events or quarantine rules.

Example: PAM analyzes first

PAM analyzes a packet before SNORT does, and PAM drops the packet. SNORT analyzes the same packet later, and generates an event. The unexpected outcome is that SNORT generated an unnecessary event from a packet that PAM dropped earlier.

Example: SNORT analyzes first

SNORT analyzes a packet before PAM does, and SNORT generates an event. A quarantine rule is created from the event. It is a packet that PAM drops after it analyzes it but PAM has yet to reach the packet. SNORT sees the same packet because PAM did not yet respond. SNORT generates another event and another quarantine rule is created. PAM analyzes the packet later and drops the traffic. The unexpected outcome is that SNORT generated duplicate events and duplicate quarantine rules were created before PAM responded to the packet.