[Snort-users] snort on inter-switch trunk (ISL, 802.1q) mirrors?

Martin Roesch roesch at ...421...
Wed Jan 24 01:20:54 EST 2001

I'd have to see what the DLT return value from libpcap is, but if it's a
supported type we'd have to write a layer 2 decoder for it (or modify
the existing DecodeEth() function) and test it out on a 802.1q capable
network.  Anyone want to lend me a Catalyst 3500XL? :)


Dave Ryan wrote:
> Hash: SHA1
> >
> > Inter-switch trunks are the only spot I've got for watching the majority of
> > traffic across a DS3.  I'd really like to cover that WAN link rather than
> > virtually hop sensors around the building to take more limited samples of
> > segregated VLANs.  This means I need an IDS that can pay attention to all
> > traffic on an inter-switch trunk, regardless of VLAN ID.
> >
> > Can snort use the vlan driver to listen promiscuously to all 802.1q frames
> > with VLAN IDs & tags [1] passing by?  I don't care about the VLAN IDs
> > themselves -- I just want to ignore them.  Is the answer as simple :-) as
> > hacking a promiscuous mode into the vlan driver?
> im not sure if i understand you 100%, let me know more details and I might be able to shed some light..
> possible solution (unless ive misunderstood):
> if you want to monitor traffic coming accross an isl onto a core switch (im making alot of assumptions here but its flexible enough ;)
> you could simply configure the core switch to span all traffic to a span port, or as the case may be with high loads to split the traffic accross multiple span ports for subsets of vlans, hanging a snort agent off each one (tha also depends on the available port density of your core switch fabric but hey im making assumptions).
> expand more and I might be able to offer something more substantial.
> Also I dont understand the connection between the DS3 and the ISL, unless we are talking about an ISL from a boundry router to your core switch, either way the above suggestion should work.
> >
> >
> > Richard
> >
> Regards,
> Dave.
> - --
> Dave Ryan                               Default Security
> http://www.default.org.uk/~dave         dave at ...1192...
> GnuPG Key:      http://www.default.org.uk/~dave/gpgkey.asc
> Fingerprint:    F418 C882 FF03 82A0 A99A  2720 669C E8C3 44B8 2A0F
> Version: GnuPG v1.0.4 (OpenBSD)
> Comment: For info see http://www.gnupg.org
> iD8DBQE6bhF0Zpzow0S4Kg8RApu4AJ9YV/biKHP9SmIb84Y9ns4gjzIxggCeOoX+
> Xt1zli0C8PAcc+AxJpFErRk=
> =4vQ6
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list