[Snort-users] VLAN- Tagged/Untagged and Snort rules

Joel Esler jesler at ...1935...
Thu Oct 4 11:20:32 EDT 2012

On Oct 4, 2012, at 10:32 AM, amN0P at ...14399... wrote:

> Hi everyone,
> I was doing some reading on this topic but wasnt able to find conclusive answer. How does Snort handle traffic coming from mirrored port on network switch which is mix of vlan tagged and untagged traffic. Due to this would Snort signatures fail or give false positives? If yes, what is the best way to handle, so that Snort works as intended. Thanks for your time and help.

Snort strips the VLAN tag out and inspects it.  The VLAN tag is preserved in the the logging of an event, but it has no bearing on detection.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121004/6997f9fa/attachment.html>

More information about the Snort-users mailing list