Snort mailing list archives
RE: 802.1q Monitoring
From: "Ron Shuck" <rshuck () Buchanan com>
Date: Fri, 6 Jun 2003 09:57:11 -0500
Hi Chris, I have to make it work for a client, so I will work with you to make sure I do it in a way that can be used in the general snort code. I am a C programmer from a previous life, so I may be a little rusty. The client fully supports open source and has given me permission to submit any work done as long as it does not compromise the security of their system. BTW, can you give me any feedback on the problem I see with changing rule order causing some alerts not to fire. I posted a while back. I have had several people tell me they see similar results, but I haven't seen anything in users or devel lists. Thanks, Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant Buchanan Associates - A Technology Company in the People Business http://www.buchanan.com http://www.isc2.org http://www.giac.org -----Original Message----- From: Chris Green [mailto:cmg () sourcefire com] Sent: Friday, June 06, 2003 9:44 AM To: Bennett Todd Cc: Ron Shuck; snort-users () lists sourceforge net Subject: Re: [Snort-users] 802.1q Monitoring Bennett Todd <bet () rahul net> writes:
2003-06-05T16:46:00 Ron Shuck:Has anyone implemented or tried to monitor a 802.1q (trunked) connection with Snort?
[...]
If one snort config will work for all your vlans,
Extend DecodeVlan() to be able to decode what it finds in decode.c and
submit a patch to snort-devel and traffic captures of your trunked vlan
configuration.
Even if you don't have C skills, please send (atleast me) a packet
caputure of your trunked vlan.
Even if 1 snort config won't work for your vlans, you can use bpf to
filter by vlan id before it goes to snort and then run a separate snort
on each vlan.
--
Chris Green <cmg () sourcefire com>
"Not everyone holds these truths to be self-evident, so we've worked
up a proof of them as Appendix A." -- Paul Prescod
-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 802.1q Monitoring Ron Shuck (Jun 05)
- Re: 802.1q Monitoring Bennett Todd (Jun 06)
- Re: 802.1q Monitoring Chris Green (Jun 06)
- Re: 802.1q Monitoring Jeff Nathan (Jun 06)
- Re: 802.1q Monitoring Chris Green (Jun 06)
- Re: 802.1q Monitoring Jeff Nathan (Jun 06)
- <Possible follow-ups>
- RE: 802.1q Monitoring Ron Shuck (Jun 06)
- Re: 802.1q Monitoring Chris Green (Jun 06)
- Re: 802.1q Monitoring Bennett Todd (Jun 06)