Re: VLAN- Tagged/Untagged and Snort rules

[Joel Esler <jesler () sourcefire com>]

On Oct 4, 2012, at 10:32 AM, amN0P () me com wrote:

> Hi everyone,
>
> I was doing some reading on this topic but wasnt able to find conclusive answer. How does Snort handle traffic coming 
> from mirrored port on network switch which is mix of vlan tagged and untagged traffic. Due to this would Snort 
> signatures fail or give false positives? If yes, what is the best way to handle, so that Snort works as intended. 
> Thanks for your time and help.

Snort strips the VLAN tag out and inspects it.  The VLAN tag is preserved in the the logging of an event, but it has no 
bearing on detection.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!