[Snort-users] 802.1q Monitoring
cmg at ...1935...
Fri Jun 6 07:44:09 EDT 2003
Bennett Todd <bet at ...6163...> writes:
> 2003-06-05T16:46:00 Ron Shuck:
>> Has anyone implemented or tried to monitor a 802.1q (trunked)
>> connection with Snort?
> If one snort config will work for all your vlans,
Extend DecodeVlan() to be able to decode what it finds in decode.c and
submit a patch to snort-devel and traffic captures of your trunked vlan
Even if you don't have C skills, please send (atleast me) a packet
caputure of your trunked vlan.
Even if 1 snort config won't work for your vlans, you can use bpf to
filter by vlan id before it goes to snort and then run a separate
snort on each vlan.
Chris Green <cmg at ...1935...>
"Not everyone holds these truths to be self-evident, so we've worked
up a proof of them as Appendix A." -- Paul Prescod
More information about the Snort-users