RE: VLAN tagging question

[Graeme Fowler <graeme.fowler () hosteurope com>]

Andrew Wild wrote:

> OK, I understand this, but I want to monitor multiple 
> VLANs at the same time without having to span ports and
> use multiple ethernet interfaces on my IDS host.

Might be a long shot, but you could do worse than patch your kernel with
either of the different VLAN patches available from:

http://vlan.sourceforge.net
http://scry.wanfear.com/~greear/vlan.html

The second of these appears to have made it into the later versions of 2.4.x
(from 2.4.14) so might be the better bet, although I've used code from the
former developers before (the bridge patches) and they were rather neat.

If you run an 802.1q VLAN-capable kernel, then you should be able to create
VLAN interfaces and have all the tags stripped before the packets reach
Snort. Give it a whirl - if it works it'll be a worthwhile addition to
everyone's armoury, I suspect!

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users