[Snort-users] snort on inter-switch trunk (ISL, 802.1q) mirrors?
roesch at ...421...
Wed Jan 24 01:20:54 EST 2001
I'd have to see what the DLT return value from libpcap is, but if it's a
supported type we'd have to write a layer 2 decoder for it (or modify
the existing DecodeEth() function) and test it out on a 802.1q capable
network. Anyone want to lend me a Catalyst 3500XL? :)
Dave Ryan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> > Inter-switch trunks are the only spot I've got for watching the majority of
> > traffic across a DS3. I'd really like to cover that WAN link rather than
> > virtually hop sensors around the building to take more limited samples of
> > segregated VLANs. This means I need an IDS that can pay attention to all
> > traffic on an inter-switch trunk, regardless of VLAN ID.
> > Can snort use the vlan driver to listen promiscuously to all 802.1q frames
> > with VLAN IDs & tags  passing by? I don't care about the VLAN IDs
> > themselves -- I just want to ignore them. Is the answer as simple :-) as
> > hacking a promiscuous mode into the vlan driver?
> im not sure if i understand you 100%, let me know more details and I might be able to shed some light..
> possible solution (unless ive misunderstood):
> if you want to monitor traffic coming accross an isl onto a core switch (im making alot of assumptions here but its flexible enough ;)
> you could simply configure the core switch to span all traffic to a span port, or as the case may be with high loads to split the traffic accross multiple span ports for subsets of vlans, hanging a snort agent off each one (tha also depends on the available port density of your core switch fabric but hey im making assumptions).
> expand more and I might be able to offer something more substantial.
> Also I dont understand the connection between the DS3 and the ISL, unless we are talking about an ISL from a boundry router to your core switch, either way the above suggestion should work.
> > Richard
> - --
> Dave Ryan Default Security
> http://www.default.org.uk/~dave dave at ...1192...
> GnuPG Key: http://www.default.org.uk/~dave/gpgkey.asc
> Fingerprint: F418 C882 FF03 82A0 A99A 2720 669C E8C3 44B8 2A0F
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (OpenBSD)
> Comment: For info see http://www.gnupg.org
> -----END PGP SIGNATURE-----
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
roesch at ...421...
More information about the Snort-users