Generic Receive Offload and Large Receive Offload can cause snort IDS/IPS to discard IP packets
If you run snort IDS/IPS and have noticed strange behaviours like your rules not firing on traffic in one direction or another despite being set up with correct directional rules parameters, the right HOME_NET value, and the right EXTERNAL_NET value then you might be a victim of Large Receive Offload and/or Generic Receive Offload network hardware or driver settings. In some cases I have noticed that snort will ignore oversized ethernet frames. Many NICs and drivers today will automatically merge multiple full-sized packets into single frames of 1500+ bytes. In my experience, Snort ignores these frames and not even using “-P 65535” will get it to pay attention to them. One sign of this problem is if you see relatively large discard values in the snort post-run protocol summary like this:
Breakdown by protocol (includes rebuilt packets):
Eth: 3651 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 3651 (100.000%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 2735 ( 74.911%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
<snip>
MPLS: 0 ( 0.000%)
ARP: 0 ( 0.000%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 916 ( 25.089%) <=== High % Discard!
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 916 ( 25.089%) <=== High % Discard!
Other: 0 ( 0.000%)
Bad Chk Sum: 0 ( 0.000%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 3651
===========================================================
To disable GRO and LRO, try these commands on your sensor interface (substitute your interface name in place of eth2 if it is different)
ethtool -K eth2 gro off
ethtool -K eth2 lro off