Snort mailing list archives
Re: Bonding, 1Q - can I do this w/ snort?
From: "Aaron" <snort () microchp org>
Date: Sun, 19 Dec 2004 20:52:06 -0800
In my experience, this does not actually work even though some here have said it does.
Cisco's vlan capture ports, especially if listening on multiple interfaces and even more especially if the traffic is a-symetric, you will drop most of the packets.
The same problem seems to exist on most vlan configurations.
The only way I have seen snort be happy and not drop alot of packets is if you have a true mirror (non 802.1q) port and most of the traffic is symetric.
Regards, Aaron
Hi there.We are looking for an alternative to using a SPAN / Mirror port on our switches. It seems, for some odd reason, that these are highly sought after resources. As I understand it there is a facility called 802.1Q trunking which allows one to send traffic from different V-Lan's to a given switch port. That means that the data from half a dozen Class C subnets can get to my Snort's e-net interface. Also as I understand it, Linux can be taught to read 802.1Q through "sub interfaces", so in my case I could configure six logical eth's - one per Vlan - and see data (even though I have an IP assigned - willing to assume the risk). Lastly, I have heard there is a bonding driver that will let me mash the six logical eth's together so I can tell snort to read / monitor that Eth-device.Is this possible? Am I washed up?Can anyone point me to the right places to get this setup?
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bonding, 1Q - can I do this w/ snort? Don Murdoch (Dec 19)
- Re: Bonding, 1Q - can I do this w/ snort? Rich Adamson (Dec 19)
- <Possible follow-ups>
- Re: Bonding, 1Q - can I do this w/ snort? Aaron (Dec 19)