[Snort-users] 802.1q Monitoring

Chris Green cmg at ...1935...
Fri Jun 6 07:44:09 EDT 2003


Bennett Todd <bet at ...6163...> writes:

> 2003-06-05T16:46:00 Ron Shuck:
>> Has anyone implemented or tried to monitor a 802.1q (trunked)
>> connection with Snort?
>

[...]

>
> If one snort config will work for all your vlans,

Extend DecodeVlan() to be able to decode what it finds in decode.c and
submit a patch to snort-devel and traffic captures of your trunked vlan
configuration.

Even if you don't have C skills, please send (atleast me) a packet
caputure of your trunked vlan.

Even if 1 snort config won't work for your vlans, you can use bpf to
filter by vlan id before it goes to snort and then run a separate
snort on each vlan.
-- 
Chris Green <cmg at ...1935...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-users mailing list