Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort VLAN limitations like Suricata

    Scheduled Pinned Locked Moved IDS/IPS
    8 Posts 3 Posters 831 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      Does Snort have the same limitations as Suricata when it comes to VLAN interfaces? I have interfaces igc1.14, igc1.15 and igc1.16. With Suricata, you need to run it on the parent interface igc1 as netmap does not play well with logical interfaces.
      Is Snort the same way? Enable on the physical interface only?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      bmeeksB 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks @michmoor
        last edited by bmeeks

        @michmoor said in Snort VLAN limitations like Suricata:

        Does Snort have the same limitations as Suricata when it comes to VLAN interfaces? I have interfaces igc1.14, igc1.15 and igc1.16. With Suricata, you need to run it on the parent interface igc1 as netmap does not play well with logical interfaces.
        Is Snort the same way? Enable on the physical interface only?

        Yes, when using Inline IPS Mode. That's because the Inline IPS in both packages depends upon the netmap kernel device.

        Snort and Suricata are pretty much identical in the manner with which they interact with the pfSense kernel and network stack. Both suffer the same netmap limitations. The only real difference between the two in terms of kernel functionality is Suricata is multithreaded whereas Snort is single threaded.

        S 1 Reply Last reply Reply Quote 1
        • S
          SteveITS Galactic Empire @bmeeks
          last edited by

          @bmeeks In legacy mode can/should it be run on the VLANs? (I thought it was both...)

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @SteveITS
            last edited by

            @SteveITS said in Snort VLAN limitations like Suricata:

            @bmeeks In legacy mode can/should it be run on the VLANs? (I thought it was both...)

            It can run it on VLANs, but the default promiscuous mode makes it a moot choice. With promiscuous mode enabled it will see all the traffic from all VLANs on the physical interface anyway.

            S M 2 Replies Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @bmeeks
              last edited by

              @bmeeks OK, that's what I thought. Carry on.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 0
              • M
                michmoor LAYER 8 Rebel Alliance @bmeeks
                last edited by

                @bmeeks so having per clan specific rule sets is moot then if I understand correctly

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                bmeeksB 1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @michmoor
                  last edited by

                  @michmoor said in Snort VLAN limitations like Suricata:

                  @bmeeks so having per clan specific rule sets is moot then if I understand correctly

                  Yes.

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    michmoor LAYER 8 Rebel Alliance @bmeeks
                    last edited by

                    @bmeeks copy that. Thank you sir

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.