Snort mailing list archives
Re: 802.1q Monitoring
From: Chris Green <cmg () sourcefire com>
Date: Fri, 06 Jun 2003 10:43:38 -0400
Bennett Todd <bet () rahul net> writes:
2003-06-05T16:46:00 Ron Shuck:Has anyone implemented or tried to monitor a 802.1q (trunked) connection with Snort?
[...]
If one snort config will work for all your vlans,
Extend DecodeVlan() to be able to decode what it finds in decode.c and submit a patch to snort-devel and traffic captures of your trunked vlan configuration. Even if you don't have C skills, please send (atleast me) a packet caputure of your trunked vlan. Even if 1 snort config won't work for your vlans, you can use bpf to filter by vlan id before it goes to snort and then run a separate snort on each vlan. -- Chris Green <cmg () sourcefire com> "Not everyone holds these truths to be self-evident, so we've worked up a proof of them as Appendix A." -- Paul Prescod ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 802.1q Monitoring Ron Shuck (Jun 05)
- Re: 802.1q Monitoring Bennett Todd (Jun 06)
- Re: 802.1q Monitoring Chris Green (Jun 06)
- Re: 802.1q Monitoring Jeff Nathan (Jun 06)
- Re: 802.1q Monitoring Chris Green (Jun 06)
- Re: 802.1q Monitoring Jeff Nathan (Jun 06)
- <Possible follow-ups>
- RE: 802.1q Monitoring Ron Shuck (Jun 06)
- Re: 802.1q Monitoring Chris Green (Jun 06)
- Re: 802.1q Monitoring Bennett Todd (Jun 06)