[Snort-users] Vlan Tagging Issue with Snort
bamm.visscher at ...11827...
Fri Sep 10 10:52:52 EDT 2010
Use an "OR" to grab vlan or ip traffic, like so:
BPF="(ip and not port 80 and not port 443) or (vlan and not port 80
and not port 443)"
BPF="(ip and port 80 and port 443) or (vlan and port 80 and port 443)"
Although the "port 80 *and* port 443" doesn't make any sense to me
(port 80 *or* port 443 maybe)?, but it's your filter.
On Thu, Sep 9, 2010 at 7:05 PM, infosec posts <infosec.posts at ...11827...> wrote:
> Greetings Snort Gurus,
> Our network folks were recently forced to make some architectural and
> equipment changes that are creating an issue with our snort
> monitoring. The core of the problem is that on the switch that sends
> our IDS sensor traffic via a monitor port, outbound traffic is not
> tagged, but inbound traffic (from the Internet) come across at trunk
> and have 802.1Q vlan tags. This cannot be changed due to
> architectural restrictions and (sad/ridiculous/stupid) limitations in
> the network swtiches. I know that snort supports and understands vlan
> tagging, but because only one direction of the traffic is tagged, it
> is creating a problem for us.
> Our IDS box runs two snort instances, with filters like this:
> BPF="not port 80 and not port 443"
> BPF="port 80 and port 443"
> In order to see the inbound traffic, I include the "vlan" filter, like so:
> BPF="vlan and not port 80 and not port 443"
> ...but then I *only* see inbound traffic, and not outbound.
> If I include no BPF filters at all, I can see all inbound and outbound
> traffic, but then I can't filter ports I don't want to see on a given
> snort instance. Tcpdump exhibits the same issue on this box, so I've
> been testing with it, and have had the following results:
> tcpdump –nni eth1 : all inbound and outbound traffic (no filter applied)
> tcpdump –nni eth1 port 80 : only outbound port 80; tagged traffic is excluded
> tcpdump –nni eth1 vlan and port 80 : only inbound port 80; un-tagged
> traffic is excluded
> tcpdump –nni eth1 vlan or port 80 : only inbound traffic; not sure
> why this doesn’t catch outbound 80 as well
> tcpdump –nni eth1 vlan or not vlan : all inbound and outbound traffic
> tcpdump –nni eth1 vlan and not vlan : all inbound and outbound traffic
> tcpdump –nni eth1 vlan or not vlan and port 80 : no traffic
> tcpdump -nni eth1 port 80 and vlan : “expression rejects all packets”
> A couple of other notes:
> -The platform is RHEL5.
> -We are limited to one monitor session on the swtich feeding the sensor.
> At this point, I think I'm down to a last resort of running separate
> snort instances for inbound and outbound, but I'd really prefer not to
> add the resource and administrative overhead. We plan to test feeding
> the monitor session into an access port on a second switch to strip
> the vlan tags on the inbound packets, but I don't have high hopes for
> that being successful.
> Am I missing something? Any other ideas or suggestions?
> Thanks in advance.
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
sguil - The Analyst Console for NSM
More information about the Snort-users