Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Advanced » Snort on dot1q trunk

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort on dot1q trunk


Posted by signalno9 on May 12, 2005 14:12:49

I would like to place a snort box in between two cisco devices that are
connected with a dot1q trunk. I would like to do it transparently and with
only one snort process. The only way that I could come up with so far
involved having a separate process running for each vlan aliased interface
using vlanconfig or something of the like. Has anyone else done (or tried)
doing this? If so, please share!

Posted by TonyC on May 16, 2005 17:46:56

Have you looked at using the bridging features of the Linux kernel?

http://bridge.sourceforge.net/

Say something like...
/sbin/ifconfig eth0 down
/sbin/ifconfig eth1 down
/sbin/ifconfig eth0 0.0.0.0 up
/sbin/ifconfig eth1 0.0.0.0 up
/usr/sbin/brctl addbr br0
/usr/sbin/brctl stp br0 on
/usr/sbin/brctl addif br0 eth1
/usr/sbin/brctl addif br0 eth0

I think the bridge will pass all your traffic, and I think you can run snort on one of the bridged ineterfaces. You may want to add an additional ethernet card for managability.

Thanks,
-Tony


site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.