[Snort-users] snort on inter-switch trunk (ISL, 802.1q) mirrors?
dave at ...1192...
Tue Jan 23 18:19:19 EST 2001
-----BEGIN PGP SIGNED MESSAGE-----
> Inter-switch trunks are the only spot I've got for watching the majority of
> traffic across a DS3. I'd really like to cover that WAN link rather than
> virtually hop sensors around the building to take more limited samples of
> segregated VLANs. This means I need an IDS that can pay attention to all
> traffic on an inter-switch trunk, regardless of VLAN ID.
> Can snort use the vlan driver to listen promiscuously to all 802.1q frames
> with VLAN IDs & tags  passing by? I don't care about the VLAN IDs
> themselves -- I just want to ignore them. Is the answer as simple :-) as
> hacking a promiscuous mode into the vlan driver?
im not sure if i understand you 100%, let me know more details and I might be able to shed some light..
possible solution (unless ive misunderstood):
if you want to monitor traffic coming accross an isl onto a core switch (im making alot of assumptions here but its flexible enough ;)
you could simply configure the core switch to span all traffic to a span port, or as the case may be with high loads to split the traffic accross multiple span ports for subsets of vlans, hanging a snort agent off each one (tha also depends on the available port density of your core switch fabric but hey im making assumptions).
expand more and I might be able to offer something more substantial.
Also I dont understand the connection between the DS3 and the ISL, unless we are talking about an ISL from a boundry router to your core switch, either way the above suggestion should work.
Dave Ryan Default Security
http://www.default.org.uk/~dave dave at ...1192...
GnuPG Key: http://www.default.org.uk/~dave/gpgkey.asc
Fingerprint: F418 C882 FF03 82A0 A99A 2720 669C E8C3 44B8 2A0F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (OpenBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-users