[Snort-users] 802.1q Monitoring
jeff at ...950...
Fri Jun 6 15:44:03 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
I replied to Chris Green before looking at DecodeVlan.
Snort is already capable of decoding 802.1Q. A trunk port simply carries
802.1Q tags when sending frames out an interface. Thus, it should work as
is for your purposes.
- --On Thursday, June 5, 2003 15:46 -0500 Ron Shuck <rshuck at ...6736...>
> Has anyone implemented or tried to monitor a 802.1q (trunked) connection
> with Snort? I saw that DLink has a 802.1q compatible card, and that it
> appears to be supported under Linux. I have several remote locations
> that do not have a huge amount of traffic, but there are several VLANS.
> It would be much easier and get the most coverage to port mirror/tap the
> WAN connection, but it is trunked.
> Any help would be greatly appreciated.
> Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant
> Buchanan Associates - A Technology Company in the People Business
> This SF.net email is sponsored by: Etnus, makers of TotalView, The best
> thread debugger on the planet. Designed with thread debugging features
> you've never dreamed of, try TotalView 6 free at www.etnus.com.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
http://cerberus.sourcefire.com/~jeff (gpg key available)
Great spirits have always encountered violent opposition from mediocre
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-users