--
Doug Burks
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
I'm not currently monitoring VLAN tagged traffic, but I plan to. I agree with what Kevin has suggested:
4.I suggest for both upgrades and first time installs, that the MTU be automatically adjusted to achieve a Suricata snaplen of 1518, but only if it is not already something higher. Some folks may be monitoring jumbo frame links.
Thanks,
Wes
1. No
2. Yes
3. No
I agree with Doug that maybe two options are best with the default snaplen size being set to the size of VLAN tagged frames.
Jumbo frames are becoming more prevalent on the LAN with the use of iSCSI and other protocols that benefit from it. Had a SANS instructor not to long ago talk about an attacker hiding and moving laterally in an iSCSI storage network.