[Oisf-users] Suricata VLAN
Eric Leblond
eric at regit.org
Wed Feb 15 09:15:56 UTC 2012
Hello,
Le mercredi 15 février 2012 à 10:11 +0100, Christophe Vandeplas a
écrit :
> Hello,
>
> I have a situation where a switch is acting 'originally' with traffic mirroring.
>
> The mirrored traffic in inbound direction is in the native vlan, and
> the outbound is in a tagged vlan.
>
> I wonder how Suricata handles these flows.
> Will it be able to reconstruct the TCP sessions correctly? Even if the
> traffic is not in the same VLAN?
>
> What would be the impact if it doesn't reconstruct the traffic?
> I'm certain that some things will still work, but I'm not certain
> about the real impact.
You may want to use a BPF expression to only select the packet from one
of the VLAN. For example, "not vlan XX" should select only the incoming
packets. This could avoid issue with seeing two times each packet.
To provide a BPF, just add it at the end of suricata command line.
BR,
--
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120215/bd5fe180/attachment.sig>
More information about the Oisf-users
mailing list