[Snort-devel] Re: vlan filter

Eric Lauzon eric.lauzon at ...1967...
Fri Apr 29 13:30:04 EDT 2005


Instead of patching snort with vlan, i would rather recommend
to add support for vlan to your kernel(assuming you run linux,*BSD)
then create an alias interface for that vlan(with linux vconfig)

I am sure BSD* got the equivaent tools, and then bind the instance of
snort to that interface.

Eric Lauzon
[Recherche & Développement]
Above Sécurité / Above Security
Tél  : (450) 430-8166
Fax : (450) 430-1858 

 

> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net 
> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of 
> Matt Bell
> Sent: 28 avril 2005 13:29
> To: snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] Re: vlan filter
> 
> 
> Hi,
> 
> forgot to mention how one would use this. In Pass/Alert/Log 
> mode i add a rule to the top of my snort.rules file:
> 
> pass tcp any any -> any any (vlan:12;)
> 
> now i dont have to worry about snort matching on tcp packets 
> tagged with vlanid = 12. Please let me know what you think, 
> im not on this mailing list so CC me on response.
> 
> -Matt
> 
> 
> On Thu, 28 Apr 2005, Matt Bell wrote:
> 
> > 
> > Hi,
> > 
> > I'm running the latest version of snort 2.3.3 and am monitoring a 
> > tagged trunk but wanted snort to ignore all packets in 
> certain vlans. 
> > I wrote a detection plugin that allows me to filter out 
> these particular packets.
> > Attached is a patch of the plugin against the latest src. 
> > 
> > -Matt
> > 
> 




More information about the Snort-devel mailing list