We are looking for an alternative to using a SPAN / Mirror port on our
switches. It seems,
for some odd reason, that these are highly sought after resources. As I
understand it there is
a facility called 802.1Q trunking which allows one to send traffic from
different V-Lan's to a
given switch port. That means that the data from half a dozen Class C subnets
can get to my
Snort's e-net interface. Also as I understand it, Linux can be taught to read
802.1Q through
"sub interfaces", so in my case I could configure six logical eth's - one per
Vlan - and see
data (even though I have an IP assigned - willing to assume the risk). Lastly,
I have heard
there is a bonding driver that will let me mash the six logical eth's together
so I can tell
snort to read / monitor that Eth-device.
Is this possible?
No.
A switch is not going to forward _all_ packets just because you defined
802.1Q trunking. The switch is still going to route packets to various
interfaces based on where it knows the destination MAC address exists.
Whether that path happens with or without 802.1Q is irrelavent.
You could use 802.1Q to _reach_ your snort boxes, but its not a substitute
for port mirroring.
Some layer-two switches provide support for mirroring an entire vlan (as
opposed to mirroring individual ports). And, some Cisco switches provide
support for multiple port-mirrors within the same box (eg, mirror port 5
to 17, and mirror 7 to 23, etc).
Rich
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
