--
Todd Lewis
tle...@mindspring.com
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Wow, looks like a lot has made it into 1.8 -- well done all!
I don't suppose there is any chance of proper vlan support wiggling its
way into 1.8? Just the ability to be able to recognize vlan trunked
traffic for what it was, stripping off the appropriate bytes from the
ethernet frames would help a lot, but being able to filter based on vlan
ID's would also be pretty cool too.
scott
-Marty
"Scott A. McIntyre" wrote:
>
> Wow, looks like a lot has made it into 1.8 -- well done all!
>
> I don't suppose there is any chance of proper vlan support wiggling its
> way into 1.8? Just the ability to be able to recognize vlan trunked
> traffic for what it was, stripping off the appropriate bytes from the
> ethernet frames would help a lot, but being able to filter based on vlan
> ID's would also be pretty cool too.
>
> scott
>
> _______________________________________________
> Snort-devel mailing list
> Snort...@lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
--
Martin Roesch
roe...@md.prestige.net
http://www.snort.org
I looked into vlan tag filtering earlier, as I was playing with the CVS
version that supported vlan tags, and I learned that the newest version of
libpcap allows a bpf filter for 802.1q tags. The filter is, predictably,
"vlan". Ie, you can run snort with (on Solaris)
"snort <insert command line options here> vlan 4" to get just vlan 4
traffic. Mind, this required me to upgrade to libpcap 0.6.2, but it was
time for me to do that, anyway.
That kinda filtering is enough for me. Since I'd like to have different
sets of rules for each vlan, I'll just launch different instances of snort
for each vlan.
Aaron