Snort mailing list archives
Re: Vlan Tagging Issue with Snort
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 10 Sep 2010 10:05:13 -0400
So, just to clarify, if you don't run the bpf instances, does everything get analyzed properly? Joel On Sep 9, 2010, at 7:05 PM, infosec posts wrote:
Greetings Snort Gurus, Our network folks were recently forced to make some architectural and equipment changes that are creating an issue with our snort monitoring. The core of the problem is that on the switch that sends our IDS sensor traffic via a monitor port, outbound traffic is not tagged, but inbound traffic (from the Internet) come across at trunk and have 802.1Q vlan tags. This cannot be changed due to architectural restrictions and (sad/ridiculous/stupid) limitations in the network swtiches. I know that snort supports and understands vlan tagging, but because only one direction of the traffic is tagged, it is creating a problem for us. Our IDS box runs two snort instances, with filters like this: BPF="not port 80 and not port 443" BPF="port 80 and port 443" In order to see the inbound traffic, I include the "vlan" filter, like so: BPF="vlan and not port 80 and not port 443" ...but then I *only* see inbound traffic, and not outbound. If I include no BPF filters at all, I can see all inbound and outbound traffic, but then I can't filter ports I don't want to see on a given snort instance. Tcpdump exhibits the same issue on this box, so I've been testing with it, and have had the following results: tcpdump –nni eth1 : all inbound and outbound traffic (no filter applied) tcpdump –nni eth1 port 80 : only outbound port 80; tagged traffic is excluded tcpdump –nni eth1 vlan and port 80 : only inbound port 80; un-tagged traffic is excluded tcpdump –nni eth1 vlan or port 80 : only inbound traffic; not sure why this doesn’t catch outbound 80 as well tcpdump –nni eth1 vlan or not vlan : all inbound and outbound traffic tcpdump –nni eth1 vlan and not vlan : all inbound and outbound traffic tcpdump –nni eth1 vlan or not vlan and port 80 : no traffic tcpdump -nni eth1 port 80 and vlan : “expression rejects all packets” A couple of other notes: -The platform is RHEL5. -We are limited to one monitor session on the swtich feeding the sensor. At this point, I think I'm down to a last resort of running separate snort instances for inbound and outbound, but I'd really prefer not to add the resource and administrative overhead. We plan to test feeding the monitor session into an access port on a second switch to strip the vlan tags on the inbound packets, but I don't have high hopes for that being successful. Am I missing something? Any other ideas or suggestions? Thanks in advance. ------------------------------------------------------------------------------ Automate Storage Tiering Simply Optimize IT performance and efficiency through flexible, powerful, automated storage tiering capabilities. View this brief to learn how you can reduce costs and improve performance. http://p.sf.net/sfu/dell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Automate Storage Tiering Simply Optimize IT performance and efficiency through flexible, powerful, automated storage tiering capabilities. View this brief to learn how you can reduce costs and improve performance. http://p.sf.net/sfu/dell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Vlan Tagging Issue with Snort infosec posts (Sep 09)
- Re: Vlan Tagging Issue with Snort Joel Esler (Sep 10)
- Re: Vlan Tagging Issue with Snort infosec posts (Sep 10)
- Re: Vlan Tagging Issue with Snort Bamm Visscher (Sep 10)
- Re: Vlan Tagging Issue with Snort infosec posts (Sep 10)
- Re: Vlan Tagging Issue with Snort infosec posts (Sep 13)
- Re: Vlan Tagging Issue with Snort Russ Combs (Sep 13)
- Re: Vlan Tagging Issue with Snort infosec posts (Sep 14)
- Re: Vlan Tagging Issue with Snort Russ Combs (Sep 14)
- Re: Vlan Tagging Issue with Snort infosec posts (Sep 17)
- Re: Vlan Tagging Issue with Snort infosec posts (Sep 10)
- Re: Vlan Tagging Issue with Snort Joel Esler (Sep 10)