[Oisf-users] Using Suricata in Multi-vlan network environment

Leonard Jacobs ljacobs at netsecuris.com
Wed Dec 5 13:23:50 UTC 2018


Sniffing VLAN Traffic correct.  However, the particular brand of layer 3 switches does offer VLAN port mirroring so not sure where Suricata could sniff VLAN traffic in the switch stack.  The stack does offer regular or traditional port mirroring.  If we do many to 1 port mirroring, concerned that sniffing may be overwhelming.  I don't know.  Maybe not.  Each switch has VLANs split across them.


We thought VLAN mirroring would be easier to see all the traffic across multiple VLANS even if we monitor one VLAN.  It would see traffic when systems communicate to systems on a VLAN we are not sniffing but not sure we would see all traffic that way.



Thanks.

Leonard 



 From:   Peter Manev <petermanev at gmail.com> 
 To:   Leonard Jacobs <ljacobs at netsecuris.com> 
 Cc:   oisf-users <oisf-users at openinfosecfoundation.org> 
 Sent:   12/5/2018 2:24 AM 
 Subject:   Re: [Oisf-users] Using Suricata in Multi-vlan network environment 

On Mon, Dec 3, 2018 at 10:19 PM Leonard <ljacobs at netsecuris.com> wrote: 
> 
> How would you suggest using in a network environment where a set of layer 3 switches are used to build multiple VLANs?  The VLANs separate servers from PCs. 
> 
 
In what way you mean? (just sniffing vlan traffic ?) Suricata can 
utilize  vlan tracking  - 
https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1237 
 
Thank you 
 
 
--  
Regards, 
Peter Manev 


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify Netsecuris management at mgmt at netsecuris.com. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Netsecuris Inc. The integrity and security of this message cannot be guaranteed on the Internet 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181205/115f62c1/attachment.html>


More information about the Oisf-users mailing list