[Snort-devel] VLAN tagging

Keith R Kilby krkilby at ...1875...
Mon Mar 31 04:18:38 EST 2003


Success I have got snort to run in both modes looking at the vlans

snort <args here> -i eth1 vlan 1  {This method certainly strips and reports only those packets with a vlan tag of 1 from eth1 running in promiscuous mode.}

However, better still with a fully configured vlan on eth1.1001(note this is a period between eth1 and 1001) this was done using insmod 8021q with a Redhat linux 2.4.14 kernel and vconfig and snort configured: 

snort -b -l /var/log/snort/ -c /root/snort/snort.conf -i eth1.1001

the system will now properly identify events on that vlan.

Unfortunately the security  guys here wont let me send you the tcpdump file, sorry about that but snort is correctly identifying and using the vlan identifiers on both snort 1.9.1 build 231 and 2rc1 build 61.

regards and thanks
Keith



Chris Green wrote:

>Keith R Kilby <krkilby at ...1875...> writes:
>
>  
>
>>Chris
>>
>>Sorry for late reply working funny hours at the moment.
>>
>>Yes will do when I get the network back for testing.
>>
>>The other point is that eth1:1 is a physical interface whereas eth1.1
>>should be the VLAN.
>>    
>>
>
>Snort only works on real interfaces.
>
>  
>
>>What I want to do is run several instances of SNORT for different
>>VLAN's. Different alert and loging files.
>>    
>>
>
>We do not support this currently in snort.  After digging in
>snort-users archive, it seems you can do this yourself by adding
>
>snort <args here> -i eth1 vlan 1
>
>for the bpf filter if you have pcap >= 0.6.2
>  
>






More information about the Snort-devel mailing list