Snort mailing list archives

Re: Bonding, 1Q - can I do this w/ snort?

From: Rich Adamson <radamson () routers com>
Date: Sun, 19 Dec 2004 07:54:43 -0600

We are looking for an alternative to using a SPAN / Mirror port on our switches.  It seems,

for some odd reason, that these are highly sought after resources.  As I understand it there is 
a facility called 802.1Q trunking which allows one to send traffic from different V-Lan's to a 
given switch port.  That means that the data from half a dozen Class C subnets can get to my 
Snort's e-net interface.  Also as I understand it, Linux can be taught to read 802.1Q through 
"sub interfaces", so in my case I could configure six logical eth's - one per Vlan - and see 
data (even though I have an IP assigned - willing to assume the risk).  Lastly, I have heard 
there is a bonding driver that will let me mash the six logical eth's together so I can tell 
snort to read / monitor that Eth-device.


Is this possible?


No.

A switch is not going to forward _all_ packets just because you defined
802.1Q trunking. The switch is still going to route packets to various
interfaces based on where it knows the destination MAC address exists.
Whether that path happens with or without 802.1Q is irrelavent.

You could use 802.1Q to _reach_ your snort boxes, but its not a substitute
for port mirroring.

Some layer-two switches provide support for mirroring an entire vlan (as
opposed to mirroring individual ports). And, some Cisco switches provide
support for multiple port-mirrors within the same box (eg, mirror port 5
to 17, and mirror 7 to 23, etc).

Rich




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Bonding, 1Q - can I do this w/ snort? Don Murdoch (Dec 19)
- Re: Bonding, 1Q - can I do this w/ snort? Rich Adamson (Dec 19)
- <Possible follow-ups>
- Re: Bonding, 1Q - can I do this w/ snort? Aaron (Dec 19)