[unisog] what changes or filter required accommodate VLAN coding for Shadow, Snort/Acid and especially IPaudit

Harris, Michael C. HarrisMC at health.missouri.edu
Fri Apr 18 16:35:09 GMT 2003


What changes have others made to accommodate VLANs using tcpdump based products like Shadow and snort with ACID

Am I missing something in having to deal with the two extra columns of 802.1q VLAN data?  The raw tcpdump files are created just fine but won't the two extra characters in non raw (analyzed text output) at the beginning of the line of text throw off the analysis? 

I assume others have either figured out how to either strip those two columns out for each sensor feed or edit the fetchem scripts so its analysis deals with the extra columns. I am curious what have others done particularly to the stitistics.pl script that produces the daily stats

I see very little even in the tcpdump_workers list about dealing with VLANS and almost nothing in the SHADOW, Snort w/ACID and IPaudit documentation.  Am I missing something obvious here?

Mike




More information about the unisog mailing list