[Snort-users] snort on inter-switch trunk (ISL, 802.1q) mirrors?

Ryan Russell ryan at ...35...
Tue Jan 23 18:19:16 EST 2001


On Tue, 23 Jan 2001, Richard Johnson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Is anyone using snort listening promiscuously on 802.1q devices like vlan0 on
> OpenBSD yet?
>
> Inter-switch trunks are the only spot I've got for watching the majority of
> traffic across a DS3.  I'd really like to cover that WAN link rather than
> virtually hop sensors around the building to take more limited samples of
> segregated VLANs.  This means I need an IDS that can pay attention to all
> traffic on an inter-switch trunk, regardless of VLAN ID.
>

I can't actually help you out with your request, but I'm curious...

By vlan support, you mean you want to limit monitoring to just a set of
vlans, and not everything else?  Or you want to monitor a trunk line, and
ignore the vlan tags?  If it's the latter (as your note makes it sound)
then you wouldn't use a vlan interface.  You'd want some sort of hack to
drop the vlan tags at the end...

					Ryan





More information about the Snort-users mailing list