[Snort-users] 802.1q Monitoring

Ron Shuck rshuck at ...6736...
Fri Jun 6 08:36:04 EDT 2003


Hi Chris,

I have to make it work for a client, so I will work with you to make
sure I do it in a way that can be used in the general snort code. I am a
C programmer from a previous life, so I may be a little rusty. The
client fully supports open source and has given me permission to submit
any work done as long as it does not compromise the security of their
system.

BTW, can you give me any feedback on the problem I see with changing
rule order causing some alerts not to fire. I posted a while back. I
have had several people tell me they see similar results, but I haven't
seen anything in users or devel lists.

Thanks,

Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant 
Buchanan Associates - A Technology Company in the People Business 
http://www.buchanan.com 
http://www.isc2.org
http://www.giac.org


-----Original Message-----
From: Chris Green [mailto:cmg at ...1935...] 
Sent: Friday, June 06, 2003 9:44 AM
To: Bennett Todd
Cc: Ron Shuck; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] 802.1q Monitoring


Bennett Todd <bet at ...6163...> writes:

> 2003-06-05T16:46:00 Ron Shuck:
>> Has anyone implemented or tried to monitor a 802.1q (trunked) 
>> connection with Snort?
>

[...]

>
> If one snort config will work for all your vlans,

Extend DecodeVlan() to be able to decode what it finds in decode.c and
submit a patch to snort-devel and traffic captures of your trunked vlan
configuration.

Even if you don't have C skills, please send (atleast me) a packet
caputure of your trunked vlan.

Even if 1 snort config won't work for your vlans, you can use bpf to
filter by vlan id before it goes to snort and then run a separate snort
on each vlan.
-- 
Chris Green <cmg at ...1935...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-users mailing list