[Snort-devel] Re: vlan filter

Matt Bell mtbell at ...2755...
Mon May 2 10:56:11 EDT 2005


Eric,

My particular setup requires me to look at tagged frames. I'm using vlan's 
to create a vlan-based quarantine environment and via the particular tap i 
have in place (endace dag card) multiple vlan's are being monitored at the 
same time. I would like snort to monitor certain vlan's and ignore others, the others 
being the vlans representing the quarantine environment. Creating an alias 
interface for each vlan would allow me to watch a single vlan, thus 
multiple aliases and multiple sensors would need to be utilized.

-Matt


On Fri, 29 Apr 2005, Eric Lauzon wrote:

> Instead of patching snort with vlan, i would rather recommend
> to add support for vlan to your kernel(assuming you run linux,*BSD)
> then create an alias interface for that vlan(with linux vconfig)
> 
> I am sure BSD* got the equivaent tools, and then bind the instance of
> snort to that interface.
> 
> Eric Lauzon
> [Recherche & Développement]
> Above Sécurité / Above Security
> Tél  : (450) 430-8166
> Fax : (450) 430-1858 
> 
>  
> 
> > -----Original Message-----
> > From: snort-devel-admin at lists.sourceforge.net 
> > [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of 
> > Matt Bell
> > Sent: 28 avril 2005 13:29
> > To: snort-devel at lists.sourceforge.net
> > Subject: [Snort-devel] Re: vlan filter
> > 
> > 
> > Hi,
> > 
> > forgot to mention how one would use this. In Pass/Alert/Log 
> > mode i add a rule to the top of my snort.rules file:
> > 
> > pass tcp any any -> any any (vlan:12;)
> > 
> > now i dont have to worry about snort matching on tcp packets 
> > tagged with vlanid = 12. Please let me know what you think, 
> > im not on this mailing list so CC me on response.
> > 
> > -Matt
> > 
> > 
> > On Thu, 28 Apr 2005, Matt Bell wrote:
> > 
> > > 
> > > Hi,
> > > 
> > > I'm running the latest version of snort 2.3.3 and am monitoring a 
> > > tagged trunk but wanted snort to ignore all packets in 
> > certain vlans. 
> > > I wrote a detection plugin that allows me to filter out 
> > these particular packets.
> > > Attached is a patch of the plugin against the latest src. 
> > > 
> > > -Matt
> > > 
> > 
> 
> 





More information about the Snort-devel mailing list