Menu
▾
▴
[Snort-inline-users] Adding vlan information the Snort Inline
|
From: Daniel P. <dpu...@ni...> - 2005-06-13 23:15:17
|
Snort Inline users, I'm trying to add functionality to snort inline so that I can get vlan information along with my alerts (if the packet has vlan information). Has anyone tried to do this before? It seems like these changes go in decode.c, but things like the DecodeEthPkt (which calls DecodeVlan) aren't taken care of in the DecodeIptablesPkt function. Is that because iptables does not send it the entire Ethernet frame, but just the IP packet, so you lose Ethernet information in the process? If so, will I have to implement a way to watch for an netfilter mark of some sort (and set the mark in iptables or ebtables depending on what vlan it is on) to base the vlan information on? -Dan |
