Snort mailing list archives
Re: 802.1q Monitoring
From: Bennett Todd <bet () rahul net>
Date: Fri, 6 Jun 2003 09:28:03 -0400
2003-06-05T16:46:00 Ron Shuck:
Has anyone implemented or tried to monitor a 802.1q (trunked) connection with Snort?
I don't recall hearing anyone do this. I can think of a few approaches. One would be to whack out a quick preprocessor to tear off 802.1q trunking wrappers. Assuming libpcap can haul the packets out of the NIC, that should finish the job. Check out the snort book, it describes very nicely how to make preprocessors, in fact the chapter describing that was available last I checked as a sample you could read online. Another approach would be to use the OS to decapsulate the trunking. Use Linux's 802.1q support, and run a separate snort instance on each of the logical interfaces provided. If you want a separate snort config for each vlan this is the way to go. If one snort config will work for all your vlans, another possibility would be to combine Linux's support for 802.1q trunking to tear off the 802.1q headers, then use Linux's bonding driver to re-aggregate the traffic from those logical interfaces back into one aggregated interface to aim snort at. E.g. let linux's vlan driver split the vlans out into eth1.# for the various vlan numbers "#", then ifenslave al the eth1.# vlan interfaces back into bond0. I don't know if this would work, but it wouldn't surprise me if it did. -Bennett
Attachment:
_bin
Description:
Current thread:
- 802.1q Monitoring Ron Shuck (Jun 05)
- Re: 802.1q Monitoring Bennett Todd (Jun 06)
- Re: 802.1q Monitoring Chris Green (Jun 06)
- Re: 802.1q Monitoring Jeff Nathan (Jun 06)
- Re: 802.1q Monitoring Chris Green (Jun 06)
- Re: 802.1q Monitoring Jeff Nathan (Jun 06)
- <Possible follow-ups>
- RE: 802.1q Monitoring Ron Shuck (Jun 06)
- Re: 802.1q Monitoring Chris Green (Jun 06)
- Re: 802.1q Monitoring Bennett Todd (Jun 06)