[Oisf-users] Using Suricata in Multi-vlan network environment
Leonard Jacobs
ljacobs at netsecuris.com
Wed Dec 5 13:23:50 UTC 2018
Sniffing VLAN Traffic correct. However, the particular brand of layer 3 switches does offer VLAN port mirroring so not sure where Suricata could sniff VLAN traffic in the switch stack. The stack does offer regular or traditional port mirroring. If we do many to 1 port mirroring, concerned that sniffing may be overwhelming. I don't know. Maybe not. Each switch has VLANs split across them.
We thought VLAN mirroring would be easier to see all the traffic across multiple VLANS even if we monitor one VLAN. It would see traffic when systems communicate to systems on a VLAN we are not sniffing but not sure we would see all traffic that way.
Thanks.
Leonard
From: Peter Manev <petermanev at gmail.com>
To: Leonard Jacobs <ljacobs at netsecuris.com>
Cc: oisf-users <oisf-users at openinfosecfoundation.org>
Sent: 12/5/2018 2:24 AM
Subject: Re: [Oisf-users] Using Suricata in Multi-vlan network environment
On Mon, Dec 3, 2018 at 10:19 PM Leonard <ljacobs at netsecuris.com> wrote:
>
> How would you suggest using in a network environment where a set of layer 3 switches are used to build multiple VLANs? The VLANs separate servers from PCs.
>
In what way you mean? (just sniffing vlan traffic ?) Suricata can
utilize vlan tracking -
https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1237
Thank you
--
Regards,
Peter Manev
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify Netsecuris management at mgmt at netsecuris.com. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Netsecuris Inc. The integrity and security of this message cannot be guaranteed on the Internet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181205/115f62c1/attachment.html>
More information about the Oisf-users
mailing list