[Snort-users] snort on inter-switch trunk (ISL, 802.1q) mirrors?
ryan at ...35...
Tue Jan 23 18:19:16 EST 2001
On Tue, 23 Jan 2001, Richard Johnson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Is anyone using snort listening promiscuously on 802.1q devices like vlan0 on
> OpenBSD yet?
> Inter-switch trunks are the only spot I've got for watching the majority of
> traffic across a DS3. I'd really like to cover that WAN link rather than
> virtually hop sensors around the building to take more limited samples of
> segregated VLANs. This means I need an IDS that can pay attention to all
> traffic on an inter-switch trunk, regardless of VLAN ID.
I can't actually help you out with your request, but I'm curious...
By vlan support, you mean you want to limit monitoring to just a set of
vlans, and not everything else? Or you want to monitor a trunk line, and
ignore the vlan tags? If it's the latter (as your note makes it sound)
then you wouldn't use a vlan interface. You'd want some sort of hack to
drop the vlan tags at the end...
More information about the Snort-users