[Snort-users] Vlan Tagging Issue with Snort

Bamm Visscher bamm.visscher at ...11827...
Fri Sep 10 10:52:52 EDT 2010


Use an "OR" to grab vlan or ip traffic, like so:

BPF="(ip and not port 80 and not port 443) or (vlan and not port 80
and not port 443)"
BPF="(ip and port 80 and port 443) or (vlan and port 80 and port 443)"

Although the "port 80 *and* port 443" doesn't make any sense to me
(port 80 *or* port 443 maybe)?, but it's your filter.

Bamm


On Thu, Sep 9, 2010 at 7:05 PM, infosec posts <infosec.posts at ...11827...> wrote:
> Greetings Snort Gurus,
>
> Our network folks were recently forced to make some architectural and
> equipment changes that are creating an issue with our snort
> monitoring.  The core of the problem is that on the switch that sends
> our IDS sensor traffic via a monitor port, outbound traffic is not
> tagged, but inbound traffic (from the Internet) come across at trunk
> and have 802.1Q vlan tags.  This cannot be changed due to
> architectural restrictions and (sad/ridiculous/stupid) limitations in
> the network swtiches.  I know that snort supports and understands vlan
> tagging, but because only one direction of the traffic is tagged, it
> is creating a problem for us.
>
> Our IDS box runs two snort instances, with filters like this:
>
> BPF="not port 80 and not port 443"
> BPF="port 80 and port 443"
>
> In order to see the inbound traffic, I include the "vlan" filter, like so:
> BPF="vlan and not port 80 and not port 443"
>
> ...but then I *only* see inbound traffic, and not outbound.
>
> If I include no BPF filters at all, I can see all inbound and outbound
> traffic, but then I can't filter ports I don't want to see on a given
> snort instance.  Tcpdump exhibits the same issue on this box, so I've
> been testing with it, and have had the following results:
>
> tcpdump –nni eth1 : all inbound and outbound traffic (no filter applied)
>
> tcpdump –nni eth1 port 80 : only outbound port 80; tagged traffic is excluded
>
> tcpdump –nni eth1 vlan and port 80  : only inbound port 80; un-tagged
> traffic is excluded
>
> tcpdump –nni eth1 vlan or port 80  :  only inbound traffic; not sure
> why this doesn’t catch outbound 80 as well
>
> tcpdump –nni eth1 vlan or not vlan :  all inbound and outbound traffic
> tcpdump –nni eth1 vlan and not vlan :  all inbound and outbound traffic
>
> tcpdump –nni eth1 vlan or not vlan and port 80 :  no traffic
>
> tcpdump -nni eth1 port 80 and vlan : “expression rejects all packets”
>
> A couple of other notes:
> -The platform is RHEL5.
> -We are limited to one monitor session on the swtich feeding the sensor.
>
> At this point, I think I'm down to a last resort of running separate
> snort instances for inbound and outbound, but I'd really prefer not to
> add the resource and administrative overhead.  We plan to test feeding
> the monitor session into an access port on a second switch to strip
> the vlan tags on the inbound packets, but I don't have high hopes for
> that being successful.
>
> Am I missing something?  Any other ideas or suggestions?
>
> Thanks in advance.
>
> ------------------------------------------------------------------------------
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful,
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance.
> http://p.sf.net/sfu/dell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list