[Snort-users] snort on inter-switch trunk (ISL, 802.1q) mirro rs?

Diehl, Jeffrey jdiehl at ...817...
Tue Jan 23 18:49:58 EST 2001


I've seen linux patchs for ISL support.  The need a 2.0.x kernel if I
remember correctly.  This should do what you want.  However, your DS3 is
155Mb.  I assume you have a GigE interface?  Otherwise, even a 100Mb may
drop packets now and then.  If you need help finding this patch, lemme know.

Mike Diehl.

-----Original Message-----
From: Ryan Russell
To: Richard Johnson
Cc: snort-users at lists.sourceforge.net
Sent: 1/23/01 4:19 PM
Subject: Re: [Snort-users] snort on inter-switch trunk (ISL, 802.1q)
mirrors?

On Tue, 23 Jan 2001, Richard Johnson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Is anyone using snort listening promiscuously on 802.1q devices like
vlan0 on
> OpenBSD yet?
>
> Inter-switch trunks are the only spot I've got for watching the
majority of
> traffic across a DS3.  I'd really like to cover that WAN link rather
than
> virtually hop sensors around the building to take more limited samples
of
> segregated VLANs.  This means I need an IDS that can pay attention to
all
> traffic on an inter-switch trunk, regardless of VLAN ID.
>

I can't actually help you out with your request, but I'm curious...

By vlan support, you mean you want to limit monitoring to just a set of
vlans, and not everything else?  Or you want to monitor a trunk line,
and
ignore the vlan tags?  If it's the latter (as your note makes it sound)
then you wouldn't use a vlan interface.  You'd want some sort of hack to
drop the vlan tags at the end...

					Ryan


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users





More information about the Snort-users mailing list