[Snort-users] snort on inter-switch trunk (ISL, 802.1q) mirrors?
rdump at ...1195...
Tue Jan 23 17:23:08 EST 2001
-----BEGIN PGP SIGNED MESSAGE-----
Is anyone using snort listening promiscuously on 802.1q devices like vlan0 on
Inter-switch trunks are the only spot I've got for watching the majority of
traffic across a DS3. I'd really like to cover that WAN link rather than
virtually hop sensors around the building to take more limited samples of
segregated VLANs. This means I need an IDS that can pay attention to all
traffic on an inter-switch trunk, regardless of VLAN ID.
Can snort use the vlan driver to listen promiscuously to all 802.1q frames
with VLAN IDs & tags  passing by? I don't care about the VLAN IDs
themselves -- I just want to ignore them. Is the answer as simple :-) as
hacking a promiscuous mode into the vlan driver?
Standard draft 9 at:
<http://www.ieee802.org/1/pages/802.1Q.html> if you have a login (I don't).
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
-----END PGP SIGNATURE-----
More information about the Snort-users