[Snort-users] how to configure snort with vlan

Russ Starr russ.starr at ...11827...
Tue Sep 20 10:26:26 EDT 2005


My VLAN experience is limited on GNU/Linux, but give this a try.  Use
this to test and make sure you are getting the packets you want.
(This assumes your interface is eth0 and you want to only see vlan 2)

snort -dev -i eth0 vlan 2

The "vlan 2" is a libpcap filter that should allow you to only see the
802.1q tagged messages for VLAN 2.

Try running your three instances of snort using the three VLANs you
are trunking on that port. Let me know if you have any luck.  I am
curious.

-Russ

On 9/13/05, fiorenzi <fiorenzi at ...4455...> wrote:
> Hi, my noc have mirrored 3 vlan on the same mirror port of the switch,
> and so I have all the traffic mirrored on the same port.
> 
> I would like to run different istance of snort for each vlan coming from
> the same ethernet card, what I need and how can I do? In particular how
> do I say snort to listen on ethX on vlan id Y?
> 
> 
> Thanks very much
> 
> Alessandro Fiorenzi
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list