[Snort-users] Vlan Tagging Issue with Snort

infosec posts infosec.posts at ...11827...
Fri Sep 10 11:20:11 EDT 2010

Looks like those filters are going to work, Bamm; thanks!  I thought
there had to be a solution like that, but I hadn't found the right
groupings yet.  You are also correct that the second filter should be
"port 80 or port 443"; that was an error when I typed this email, as I
wasn't looking at my actual filters when I typed it up.

I also had an individual reply that suggested setting up a virtual
interface on my monitor nic and setting it as a vlan tagged port.  I
haven't tested that yet, but wanted to mention it in case it helps
someone else reading the list at some point.

On Fri, Sep 10, 2010 at 9:52 AM, Bamm Visscher <bamm.visscher at ...11827...> wrote:
> Use an "OR" to grab vlan or ip traffic, like so:
> BPF="(ip and not port 80 and not port 443) or (vlan and not port 80
> and not port 443)"
> BPF="(ip and port 80 and port 443) or (vlan and port 80 and port 443)"
> Although the "port 80 *and* port 443" doesn't make any sense to me
> (port 80 *or* port 443 maybe)?, but it's your filter.
> Bamm
> On Thu, Sep 9, 2010 at 7:05 PM, infosec posts <infosec.posts at ...11827...> wrote:
>> Greetings Snort Gurus,
>> Our network folks were recently forced to make some architectural and
>> equipment changes that are creating an issue with our snort
>> monitoring.  The core of the problem is that on the switch that sends
>> our IDS sensor traffic via a monitor port, outbound traffic is not
>> tagged, but inbound traffic (from the Internet) come across at trunk
>> and have 802.1Q vlan tags.  This cannot be changed due to
>> architectural restrictions and (sad/ridiculous/stupid) limitations in
>> the network swtiches.  I know that snort supports and understands vlan
>> tagging, but because only one direction of the traffic is tagged, it
>> is creating a problem for us.
>> Our IDS box runs two snort instances, with filters like this:
>> BPF="not port 80 and not port 443"
>> BPF="port 80 and port 443"
>> In order to see the inbound traffic, I include the "vlan" filter, like so:
>> BPF="vlan and not port 80 and not port 443"
>> ...but then I *only* see inbound traffic, and not outbound.
>> If I include no BPF filters at all, I can see all inbound and outbound
>> traffic, but then I can't filter ports I don't want to see on a given
>> snort instance.  Tcpdump exhibits the same issue on this box, so I've
>> been testing with it, and have had the following results:
>> tcpdump –nni eth1 : all inbound and outbound traffic (no filter applied)
>> tcpdump –nni eth1 port 80 : only outbound port 80; tagged traffic is excluded
>> tcpdump –nni eth1 vlan and port 80  : only inbound port 80; un-tagged
>> traffic is excluded
>> tcpdump –nni eth1 vlan or port 80  :  only inbound traffic; not sure
>> why this doesn’t catch outbound 80 as well
>> tcpdump –nni eth1 vlan or not vlan :  all inbound and outbound traffic
>> tcpdump –nni eth1 vlan and not vlan :  all inbound and outbound traffic
>> tcpdump –nni eth1 vlan or not vlan and port 80 :  no traffic
>> tcpdump -nni eth1 port 80 and vlan : “expression rejects all packets”
>> A couple of other notes:
>> -The platform is RHEL5.
>> -We are limited to one monitor session on the swtich feeding the sensor.
>> At this point, I think I'm down to a last resort of running separate
>> snort instances for inbound and outbound, but I'd really prefer not to
>> add the resource and administrative overhead.  We plan to test feeding
>> the monitor session into an access port on a second switch to strip
>> the vlan tags on the inbound packets, but I don't have high hopes for
>> that being successful.
>> Am I missing something?  Any other ideas or suggestions?
>> Thanks in advance.
>> ------------------------------------------------------------------------------
>> Automate Storage Tiering Simply
>> Optimize IT performance and efficiency through flexible, powerful,
>> automated storage tiering capabilities. View this brief to learn how
>> you can reduce costs and improve performance.
>> http://p.sf.net/sfu/dell-sfdev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> --
> sguil - The Analyst Console for NSM
> http://sguil.sf.net

More information about the Snort-users mailing list