[Snort-users] snort on inter-switch trunk (ISL, 802.1q) mirrors?

Dave Ryan dave at ...1192...
Tue Jan 23 18:19:19 EST 2001

Hash: SHA1

> Inter-switch trunks are the only spot I've got for watching the majority of
> traffic across a DS3.  I'd really like to cover that WAN link rather than
> virtually hop sensors around the building to take more limited samples of
> segregated VLANs.  This means I need an IDS that can pay attention to all
> traffic on an inter-switch trunk, regardless of VLAN ID.
> Can snort use the vlan driver to listen promiscuously to all 802.1q frames
> with VLAN IDs & tags [1] passing by?  I don't care about the VLAN IDs
> themselves -- I just want to ignore them.  Is the answer as simple :-) as
> hacking a promiscuous mode into the vlan driver?
im not sure if i understand you 100%, let me know more details and I might be able to shed some light..

possible solution (unless ive misunderstood):

if you want to monitor traffic coming accross an isl onto a core switch (im making alot of assumptions here but its flexible enough ;)
you could simply configure the core switch to span all traffic to a span port, or as the case may be with high loads to split the traffic accross multiple span ports for subsets of vlans, hanging a snort agent off each one (tha also depends on the available port density of your core switch fabric but hey im making assumptions).

expand more and I might be able to offer something more substantial.

Also I dont understand the connection between the DS3 and the ISL, unless we are talking about an ISL from a boundry router to your core switch, either way the above suggestion should work.

> Richard

- -- 
Dave Ryan 				Default Security
http://www.default.org.uk/~dave		dave at ...1192...

GnuPG Key:      http://www.default.org.uk/~dave/gpgkey.asc
Fingerprint:    F418 C882 FF03 82A0 A99A  2720 669C E8C3 44B8 2A0F

Version: GnuPG v1.0.4 (OpenBSD)
Comment: For info see http://www.gnupg.org


More information about the Snort-users mailing list