[Snort-users] Vlan Tagging Issue with Snort

Bamm Visscher bamm.visscher at ...11827...
Fri Sep 10 10:52:52 EDT 2010

Use an "OR" to grab vlan or ip traffic, like so:

BPF="(ip and not port 80 and not port 443) or (vlan and not port 80
and not port 443)"
BPF="(ip and port 80 and port 443) or (vlan and port 80 and port 443)"

Although the "port 80 *and* port 443" doesn't make any sense to me
(port 80 *or* port 443 maybe)?, but it's your filter.


On Thu, Sep 9, 2010 at 7:05 PM, infosec posts <infosec.posts at ...11827...> wrote:
> Greetings Snort Gurus,
> Our network folks were recently forced to make some architectural and
> equipment changes that are creating an issue with our snort
> monitoring.  The core of the problem is that on the switch that sends
> our IDS sensor traffic via a monitor port, outbound traffic is not
> tagged, but inbound traffic (from the Internet) come across at trunk
> and have 802.1Q vlan tags.  This cannot be changed due to
> architectural restrictions and (sad/ridiculous/stupid) limitations in
> the network swtiches.  I know that snort supports and understands vlan
> tagging, but because only one direction of the traffic is tagged, it
> is creating a problem for us.
> Our IDS box runs two snort instances, with filters like this:
> BPF="not port 80 and not port 443"
> BPF="port 80 and port 443"
> In order to see the inbound traffic, I include the "vlan" filter, like so:
> BPF="vlan and not port 80 and not port 443"
> ...but then I *only* see inbound traffic, and not outbound.
> If I include no BPF filters at all, I can see all inbound and outbound
> traffic, but then I can't filter ports I don't want to see on a given
> snort instance.  Tcpdump exhibits the same issue on this box, so I've
> been testing with it, and have had the following results:
> tcpdump –nni eth1 : all inbound and outbound traffic (no filter applied)
> tcpdump –nni eth1 port 80 : only outbound port 80; tagged traffic is excluded
> tcpdump –nni eth1 vlan and port 80  : only inbound port 80; un-tagged
> traffic is excluded
> tcpdump –nni eth1 vlan or port 80  :  only inbound traffic; not sure
> why this doesn’t catch outbound 80 as well
> tcpdump –nni eth1 vlan or not vlan :  all inbound and outbound traffic
> tcpdump –nni eth1 vlan and not vlan :  all inbound and outbound traffic
> tcpdump –nni eth1 vlan or not vlan and port 80 :  no traffic
> tcpdump -nni eth1 port 80 and vlan : “expression rejects all packets”
> A couple of other notes:
> -The platform is RHEL5.
> -We are limited to one monitor session on the swtich feeding the sensor.
> At this point, I think I'm down to a last resort of running separate
> snort instances for inbound and outbound, but I'd really prefer not to
> add the resource and administrative overhead.  We plan to test feeding
> the monitor session into an access port on a second switch to strip
> the vlan tags on the inbound packets, but I don't have high hopes for
> that being successful.
> Am I missing something?  Any other ideas or suggestions?
> Thanks in advance.
> ------------------------------------------------------------------------------
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
> http://p.sf.net/sfu/dell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

sguil - The Analyst Console for NSM

More information about the Snort-users mailing list