[Snort-users] Vlan Tagging Issue with Snort

infosec posts infosec.posts at ...11827...
Thu Sep 9 19:05:40 EDT 2010

Greetings Snort Gurus,

Our network folks were recently forced to make some architectural and
equipment changes that are creating an issue with our snort
monitoring.  The core of the problem is that on the switch that sends
our IDS sensor traffic via a monitor port, outbound traffic is not
tagged, but inbound traffic (from the Internet) come across at trunk
and have 802.1Q vlan tags.  This cannot be changed due to
architectural restrictions and (sad/ridiculous/stupid) limitations in
the network swtiches.  I know that snort supports and understands vlan
tagging, but because only one direction of the traffic is tagged, it
is creating a problem for us.

Our IDS box runs two snort instances, with filters like this:

BPF="not port 80 and not port 443"
BPF="port 80 and port 443"

In order to see the inbound traffic, I include the "vlan" filter, like so:
BPF="vlan and not port 80 and not port 443"

...but then I *only* see inbound traffic, and not outbound.

If I include no BPF filters at all, I can see all inbound and outbound
traffic, but then I can't filter ports I don't want to see on a given
snort instance.  Tcpdump exhibits the same issue on this box, so I've
been testing with it, and have had the following results:

tcpdump –nni eth1 : all inbound and outbound traffic (no filter applied)

tcpdump –nni eth1 port 80 : only outbound port 80; tagged traffic is excluded

tcpdump –nni eth1 vlan and port 80  : only inbound port 80; un-tagged
traffic is excluded

tcpdump –nni eth1 vlan or port 80  :  only inbound traffic; not sure
why this doesn’t catch outbound 80 as well

tcpdump –nni eth1 vlan or not vlan :  all inbound and outbound traffic
tcpdump –nni eth1 vlan and not vlan :  all inbound and outbound traffic

tcpdump –nni eth1 vlan or not vlan and port 80 :  no traffic

tcpdump -nni eth1 port 80 and vlan : “expression rejects all packets”

A couple of other notes:
-The platform is RHEL5.
-We are limited to one monitor session on the swtich feeding the sensor.

At this point, I think I'm down to a last resort of running separate
snort instances for inbound and outbound, but I'd really prefer not to
add the resource and administrative overhead.  We plan to test feeding
the monitor session into an access port on a second switch to strip
the vlan tags on the inbound packets, but I don't have high hopes for
that being successful.

Am I missing something?  Any other ideas or suggestions?

Thanks in advance.

More information about the Snort-users mailing list