[Snort-users] VLAN- Tagged/Untagged and Snort rules

Joel Esler jesler at ...1935...
Thu Oct 4 15:36:35 EDT 2012

On Oct 4, 2012, at 11:20 AM, Joel Esler <jesler at ...1935...> wrote:
> On Oct 4, 2012, at 10:32 AM, amN0P at ...14399... wrote:
>> Hi everyone,
>> I was doing some reading on this topic but wasnt able to find conclusive answer. How does Snort handle traffic coming from mirrored port on network switch which is mix of vlan tagged and untagged traffic. Due to this would Snort signatures fail or give false positives? If yes, what is the best way to handle, so that Snort works as intended. Thanks for your time and help.
> Snort strips the VLAN tag out and inspects it.  The VLAN tag is preserved in the the logging of an event, but it has no bearing on detection.

Let me clarify a bit:

The VLAN tag is used to track sessions if not turned off (config vlan_agnostic).  It can be problem in some deployments where one side of a session has a different VLAN tag from the other.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121004/50663892/attachment.html>

More information about the Snort-users mailing list