[Snort-users] snort on inter-switch trunk (ISL, 802.1q) mirro rs?
jdiehl at ...817...
Tue Jan 23 18:49:58 EST 2001
I've seen linux patchs for ISL support. The need a 2.0.x kernel if I
remember correctly. This should do what you want. However, your DS3 is
155Mb. I assume you have a GigE interface? Otherwise, even a 100Mb may
drop packets now and then. If you need help finding this patch, lemme know.
From: Ryan Russell
To: Richard Johnson
Cc: snort-users at lists.sourceforge.net
Sent: 1/23/01 4:19 PM
Subject: Re: [Snort-users] snort on inter-switch trunk (ISL, 802.1q)
On Tue, 23 Jan 2001, Richard Johnson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Is anyone using snort listening promiscuously on 802.1q devices like
> OpenBSD yet?
> Inter-switch trunks are the only spot I've got for watching the
> traffic across a DS3. I'd really like to cover that WAN link rather
> virtually hop sensors around the building to take more limited samples
> segregated VLANs. This means I need an IDS that can pay attention to
> traffic on an inter-switch trunk, regardless of VLAN ID.
I can't actually help you out with your request, but I'm curious...
By vlan support, you mean you want to limit monitoring to just a set of
vlans, and not everything else? Or you want to monitor a trunk line,
ignore the vlan tags? If it's the latter (as your note makes it sound)
then you wouldn't use a vlan interface. You'd want some sort of hack to
drop the vlan tags at the end...
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
More information about the Snort-users