VLAN Traffic
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/VLAN-Traffic.
If you're running Security Onion 14.04 with all updates applied as of 2016/08/31, then you should be able to monitor VLAN tagged traffic with no special configuration. The current version of Suricata will automatically increase its snaplen setting to account for VLAN tags and our current NSM scripts will automatically update Snort's snaplen in the same way.
If for some reason you are unable to install the latest updates and have to run older software, you may need to modify your configuration to avoid inconsistent alerting. Here are some things to consider.
Snort's default Snap Length is 1514. To allow for VLAN tags, you can increase this to 1518 by setting the following option in your Snort configuration file /etc/nsm/HOSTNAME-INTERFACE/snort.conf:
config snaplen: 1518
(However, please keep in mind that our latest NSM scripts will set Snort's snaplen setting on the command line, overriding what you set in snort.conf.)
Restart Snort:
sudo nsm_sensor_ps-restart --only-snort-alert
Test to ensure that you're now receiving consistent alerting.
When Suricata (older versions) receives packets from PF_RING, it sets the Snap Length (Bucket Len) to 1516 by default (the default MTU of the sniffing interface 1500 plus 16). To increase Suricata's Snap Length to 1518, increase the MTU of your sniffing interface to 1502 by adding the following line to the sniffing interface section of your network interface config file /etc/network/interfaces:
mtu 1502
(Please note that setting a non-standard MTU like this may result in the interface not coming up correctly on boot.)
Then bounce the interface as follows (replacing eth1 with your actual sniffing interface):
sudo ifdown eth1
sudo ifup eth1
If you have inconsistent VLAN tags (for example, VLAN tags in one direction but not the other), then you may also need to set the following option in your Suricata configuration file /etc/nsm/HOSTNAME-INTERFACE/suricata.yaml:
vlan:
use-for-tracking: false
Restart Suricata:
sudo nsm_sensor_ps-restart --only-snort-alert
Test to ensure that you're now receiving consistent alerting.
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs