[tcpdump-workers] [unisog] what changes or filter required accommodate VLAN coding for Shadow, Snort/Acid and especially IPaudit

Chris Green cmg at sourcefire.com
Mon Apr 21 14:35:16 GMT 2003

"Harris, Michael C." <HarrisMC at health.missouri.edu> writes:

> What changes have others made to accommodate VLANs using tcpdump based
> products like Shadow and snort with ACID

I'd call Ipaudit and Snort "libpcap" based products ( see below ). I
don't know much about SHADOW so I won't answer anything on it.
> Am I missing something in having to deal with the two extra columns of
> 802.1q VLAN data?  The raw tcpdump files are created just fine but
> won't the two extra characters in non raw (analyzed text output) at
> the beginning of the line of text throw off the analysis?>
> I assume others have either figured out how to either strip those two
> columns out for each sensor feed or edit the fetchem scripts so its
> analysis deals with the extra columns. I am curious what have others
> done particularly to the stitistics.pl script that produces the daily
> stats
> I see very little even in the tcpdump_workers list about dealing with
> VLANS and almost nothing in the SHADOW, Snort w/ACID and IPaudit
> documentation.  Am I missing something obvious here?

Snort handles 802.1q by just stripping off the VLAN headers and
analyzing everything as if it were on the same segment.  Most of the
time, this is acceptable.  If you want to only anaylze packets on a
particular vlan, you add vlan <vlan_id> to your BPF filter.

IPaudit doesn't seem to handle VLans currently but I'm sure Jon Rifkin
would accept patches to help add it.
Chris Green <cmg at sourcefire.com>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx

More information about the unisog mailing list