Re: Vlan Tagging Issue with Snort

[Joel Esler <jesler () sourcefire com>]

So, just to clarify, if you don't run the bpf instances, does everything get analyzed properly?

Joel

On Sep 9, 2010, at 7:05 PM, infosec posts wrote:

> Greetings Snort Gurus,
>
> Our network folks were recently forced to make some architectural and
> equipment changes that are creating an issue with our snort
> monitoring.  The core of the problem is that on the switch that sends
> our IDS sensor traffic via a monitor port, outbound traffic is not
> tagged, but inbound traffic (from the Internet) come across at trunk
> and have 802.1Q vlan tags.  This cannot be changed due to
> architectural restrictions and (sad/ridiculous/stupid) limitations in
> the network swtiches.  I know that snort supports and understands vlan
> tagging, but because only one direction of the traffic is tagged, it
> is creating a problem for us.
>
> Our IDS box runs two snort instances, with filters like this:
>
> BPF="not port 80 and not port 443"
> BPF="port 80 and port 443"
>
> In order to see the inbound traffic, I include the "vlan" filter, like so:
> BPF="vlan and not port 80 and not port 443"
>
> ...but then I *only* see inbound traffic, and not outbound.
>
> If I include no BPF filters at all, I can see all inbound and outbound
> traffic, but then I can't filter ports I don't want to see on a given
> snort instance.  Tcpdump exhibits the same issue on this box, so I've
> been testing with it, and have had the following results:
>
> tcpdump –nni eth1 : all inbound and outbound traffic (no filter applied)
>
> tcpdump –nni eth1 port 80 : only outbound port 80; tagged traffic is excluded
>
> tcpdump –nni eth1 vlan and port 80  : only inbound port 80; un-tagged
> traffic is excluded
>
> tcpdump –nni eth1 vlan or port 80  :  only inbound traffic; not sure
> why this doesn’t catch outbound 80 as well
>
> tcpdump –nni eth1 vlan or not vlan :  all inbound and outbound traffic
> tcpdump –nni eth1 vlan and not vlan :  all inbound and outbound traffic
>
> tcpdump –nni eth1 vlan or not vlan and port 80 :  no traffic
>
> tcpdump -nni eth1 port 80 and vlan : “expression rejects all packets”
>
> A couple of other notes:
> -The platform is RHEL5.
> -We are limited to one monitor session on the swtich feeding the sensor.
>
> At this point, I think I'm down to a last resort of running separate
> snort instances for inbound and outbound, but I'd really prefer not to
> add the resource and administrative overhead.  We plan to test feeding
> the monitor session into an access port on a second switch to strip
> the vlan tags on the inbound packets, but I don't have high hopes for
> that being successful.
>
> Am I missing something?  Any other ideas or suggestions?
>
> Thanks in advance.
>
> ------------------------------------------------------------------------------
> Automate Storage Tiering Simply
> Optimize IT performance and efficiency through flexible, powerful, 
> automated storage tiering capabilities. View this brief to learn how
> you can reduce costs and improve performance. 
> http://p.sf.net/sfu/dell-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Automate Storage Tiering Simply
Optimize IT performance and efficiency through flexible, powerful, 
automated storage tiering capabilities. View this brief to learn how
you can reduce costs and improve performance. 
http://p.sf.net/sfu/dell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users