Re: 802.1q Monitoring

[Bennett Todd <bet () rahul net>]

2003-06-05T16:46:00 Ron Shuck:
> Has anyone implemented or tried to monitor a 802.1q (trunked)
> connection with Snort?

I don't recall hearing anyone do this.

I can think of a few approaches.

One would be to whack out a quick preprocessor to tear off 802.1q
trunking wrappers. Assuming libpcap can haul the packets out of the
NIC, that should finish the job. Check out the snort book, it
describes very nicely how to make preprocessors, in fact the chapter
describing that was available last I checked as a sample you could
read online.

Another approach would be to use the OS to decapsulate the
trunking. Use Linux's 802.1q support, and run a separate snort
instance on each of the logical interfaces provided. If you want a
separate snort config for each vlan this is the way to go.

If one snort config will work for all your vlans, another
possibility would be to combine Linux's support for 802.1q trunking
to tear off the 802.1q headers, then use Linux's bonding driver to
re-aggregate the traffic from those logical interfaces back into one
aggregated interface to aim snort at. E.g. let linux's vlan driver
split the vlans out into eth1.# for the various vlan numbers "#",
then ifenslave al the eth1.# vlan interfaces back into bond0. I
don't know if this would work, but it wouldn't surprise me if it
did.

-Bennett

Attachment: _bin
Description: