[Snort-users] Re: [Snort-devel] Snort 1.8 status update

Gee-Clough, Aaron Aaron.Gee-Clough at ...390...
Sun Apr 22 15:25:46 EDT 2001


Thank you, Marty.  It'll be very useful.

I looked into vlan tag filtering earlier, as I was playing with the CVS
version that supported vlan tags, and I learned that the newest version of
libpcap allows a bpf filter for 802.1q tags.  The filter is, predictably,
"vlan".  Ie, you can run snort with (on Solaris) 
"snort <insert command line options here> vlan 4" to get just vlan 4
traffic.  Mind, this required me to upgrade to libpcap 0.6.2, but it was
time for me to do that, anyway.

That kinda filtering is enough for me.  Since I'd like to have different
sets of rules for each vlan, I'll just launch different instances of snort
for each vlan.

Aaron


-----Original Message-----
From: Martin Roesch
To: Scott A. McIntyre
Cc: snort-dev; snort-users
Sent: 4/21/01 11:28 AM
Subject: [Snort-users] Re: [Snort-devel] Snort 1.8 status update

I added 802.1q protocol decoding/support on Wednesday, so I think you're
all set.  Filtering on vlan tags hasn't been implemented, but I suppose
I could do something like that if I get the chance.  No promises, but
I'll look at it...

    -Marty

"Scott A. McIntyre" wrote:
> 
> Wow, looks like a lot has made it into 1.8 -- well done all!
> 
> I don't suppose there is any chance of proper vlan support wiggling
its
> way into 1.8?  Just the ability to be able to recognize vlan trunked
> traffic for what it was, stripping off the appropriate bytes from the
> ethernet frames would help a lot, but being able to filter based on
vlan
> ID's would also be pretty cool too.
> 
> scott
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-devel mailing list