[Oisf-users] Using Suricata in Multi-vlan network environment

Peter Manev petermanev at gmail.com
Mon Dec 10 09:03:54 UTC 2018 

On Wed, Dec 5, 2018 at 2:22 PM Leonard Jacobs <ljacobs at netsecuris.com> wrote:
>
> Sniffing VLAN Traffic correct.  However, the particular brand of layer 3 switches does offer VLAN port mirroring so not sure where Suricata could sniff VLAN traffic in the switch stack.  The stack does offer regular or traditional port mirroring.  If we do many to 1 port mirroring, concerned that sniffing may be overwhelming.  I don't know.  Maybe not.  Each switch has VLANs split across them.
>
> We thought VLAN mirroring would be easier to see all the traffic across multiple VLANS even if we monitor one VLAN.  It would see traffic when systems communicate to systems on a VLAN we are not sniffing but not sure we would see all traffic that way.
>

In that case i would suggest to do a "session test"  for a particular
scenario (many to1 / vlanmirror) - do a specific http/ftp or similar
session between 2 IPs (local PCs or similar) and tcpdump that on the
mirror port - to see how it appears  -with the same
VLANS/retagged/untagged - it would give you some idea i think of what
is best to set up.(to be sure)

> Thanks.
>
> Leonard
>
>
> From: Peter Manev <petermanev at gmail.com>
> To: Leonard Jacobs <ljacobs at netsecuris.com>
> Cc: oisf-users <oisf-users at openinfosecfoundation.org>
> Sent: 12/5/2018 2:24 AM
> Subject: Re: [Oisf-users] Using Suricata in Multi-vlan network environment
>
> On Mon, Dec 3, 2018 at 10:19 PM Leonard <ljacobs at netsecuris.com> wrote:
> >
> > How would you suggest using in a network environment where a set of layer 3 switches are used to build multiple VLANs?  The VLANs separate servers from PCs.
> >
>
> In what way you mean? (just sniffing vlan traffic ?) Suricata can
> utilize  vlan tracking  -
> https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L1237
>
> Thank you
>
>
> --
> Regards,
> Peter Manev
>
>
>
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify Netsecuris management at mgmt at netsecuris.com. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Netsecuris Inc. The integrity and security of this message cannot be guaranteed on the Internet



-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list