[Snort-users] snort on inter-switch trunk (ISL, 802.1q) mirrors?

Richard Johnson rdump at ...1195...
Tue Jan 23 17:23:08 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is anyone using snort listening promiscuously on 802.1q devices like vlan0 on
OpenBSD yet?

Inter-switch trunks are the only spot I've got for watching the majority of
traffic across a DS3.  I'd really like to cover that WAN link rather than
virtually hop sensors around the building to take more limited samples of
segregated VLANs.  This means I need an IDS that can pay attention to all
traffic on an inter-switch trunk, regardless of VLAN ID.

Can snort use the vlan driver to listen promiscuously to all 802.1q frames
with VLAN IDs & tags [1] passing by?  I don't care about the VLAN IDs
themselves -- I just want to ignore them.  Is the answer as simple :-) as
hacking a promiscuous mode into the vlan driver?


Richard

[1] 
Picture at:
  <http://www.3com.com/technology/tech_net/tech_briefs/500908a.html>,
linked from:
  <http://www.3com.com/technology/tech_net/tech_briefs/500908.html>.
Standard draft 9 at:
  <http://www.ieee802.org/1/pages/802.1Q.html> if you have a login (I don't).

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOm4ESZgmccFXZvyVEQKAYACdHIEhhrSVtbPqQBDat3KZhxj8yrIAoM3E
6Ya9HBPpPEktd2o4KdLuydkt
=WWgF
-----END PGP SIGNATURE-----






More information about the Snort-users mailing list