Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] Re: [Snort-devel] Snort 1.8 status update

1 view
Skip to first unread message

Todd Lewis

unread,
Apr 20, 2001, 7:52:15 PM4/20/01
to
Would paengine integration be doable for 1.8, since it's a major release?
I could do the work if there is time; I'd need a few days, but this
weekend could count if I get word soon.

--
Todd Lewis
tle...@mindspring.com


_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Scott A. McIntyre

unread,
Apr 21, 2001, 5:09:30 AM4/21/01
to

Wow, looks like a lot has made it into 1.8 -- well done all!

I don't suppose there is any chance of proper vlan support wiggling its
way into 1.8? Just the ability to be able to recognize vlan trunked
traffic for what it was, stripping off the appropriate bytes from the
ethernet frames would help a lot, but being able to filter based on vlan
ID's would also be pretty cool too.

scott

Martin Roesch

unread,
Apr 21, 2001, 12:12:28 PM4/21/01
to
I added 802.1q protocol decoding/support on Wednesday, so I think you're
all set. Filtering on vlan tags hasn't been implemented, but I suppose
I could do something like that if I get the chance. No promises, but
I'll look at it...

-Marty

"Scott A. McIntyre" wrote:
>
> Wow, looks like a lot has made it into 1.8 -- well done all!
>
> I don't suppose there is any chance of proper vlan support wiggling its
> way into 1.8? Just the ability to be able to recognize vlan trunked
> traffic for what it was, stripping off the appropriate bytes from the
> ethernet frames would help a lot, but being able to filter based on vlan
> ID's would also be pretty cool too.
>
> scott
>
> _______________________________________________

> Snort-devel mailing list
> Snort...@lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roe...@md.prestige.net
http://www.snort.org

Gee-Clough, Aaron

unread,
Apr 22, 2001, 4:03:52 PM4/22/01
to
Thank you, Marty. It'll be very useful.

I looked into vlan tag filtering earlier, as I was playing with the CVS
version that supported vlan tags, and I learned that the newest version of
libpcap allows a bpf filter for 802.1q tags. The filter is, predictably,
"vlan". Ie, you can run snort with (on Solaris)
"snort <insert command line options here> vlan 4" to get just vlan 4
traffic. Mind, this required me to upgrade to libpcap 0.6.2, but it was
time for me to do that, anyway.

That kinda filtering is enough for me. Since I'd like to have different
sets of rules for each vlan, I'll just launch different instances of snort
for each vlan.

Aaron

0 new messages