Snort mailing list archives
Re: VLAN- Tagged/Untagged and Snort rules
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 4 Oct 2012 15:36:35 -0400
On Oct 4, 2012, at 11:20 AM, Joel Esler <jesler () sourcefire com> wrote:
On Oct 4, 2012, at 10:32 AM, amN0P () me com wrote:Hi everyone, I was doing some reading on this topic but wasnt able to find conclusive answer. How does Snort handle traffic coming from mirrored port on network switch which is mix of vlan tagged and untagged traffic. Due to this would Snort signatures fail or give false positives? If yes, what is the best way to handle, so that Snort works as intended. Thanks for your time and help.Snort strips the VLAN tag out and inspects it. The VLAN tag is preserved in the the logging of an event, but it has no bearing on detection.
Let me clarify a bit: The VLAN tag is used to track sessions if not turned off (config vlan_agnostic). It can be problem in some deployments where one side of a session has a different VLAN tag from the other. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- VLAN- Tagged/Untagged and Snort rules amn0p (Oct 04)
- Re: VLAN- Tagged/Untagged and Snort rules Joel Esler (Oct 04)
- Re: VLAN- Tagged/Untagged and Snort rules Joel Esler (Oct 04)
- Re: VLAN- Tagged/Untagged and Snort rules Joel Esler (Oct 04)