Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort and mixing physical interfaces and VLANs

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffhammett
      last edited by

      Did something change recently with the way Snort handles physical interfaces and VLANs?

      I have been running Snort on a few systems for a while now where I have the physical interface configured for one subnet, and then some VLANs on that same interface (I know this is not recommended, but I have not been able to change the network architecture yet). In the past if I were to run Snort on the LAN interface it would only see the traffic from what pfSense considers the LAN, it wouldn't see any traffic from the VLANs on that same interface. If I wanted to monitor traffic on those VLANs I would have to configure Snort on each VLAN interface.

      I installed Snort on another system recently with this same architecture and configured Snort on both the LAN and one of the VLANs on that LAN interface, and found that I am receiving alerts for the VLAN on both the LAN interface and the VLAN interface in Snort.

      Which is expected behavior? What would be the cause of some systems behaving one way and some behaving the other way?

      I haven't done a whole lot of testing, so I may be overlooking something. Any help in figuring this out is appreciated.

      1 Reply Last reply Reply Quote 0
      • M
        mhertzfeld
        last edited by

        You are not alone, I see the same thing in my setup.

        I had asked a similar question a few months back but never got an answer.

        https://forum.pfsense.org/index.php?topic=113631.0

        I am thinking this has something to do with it.

        https://en.wikipedia.org/wiki/Promiscuous_mode

        Are the pfsense and snort versions the same on the system you see the vlan traffic in LAN and the system you don't?

        1 Reply Last reply Reply Quote 0
        • J
          jeffhammett
          last edited by

          @mhertzfeld:

          You are not alone, I see the same thing in my setup.

          I had asked a similar question a few months back but never got an answer.

          https://forum.pfsense.org/index.php?topic=113631.0

          I am thinking this has something to do with it.

          https://en.wikipedia.org/wiki/Promiscuous_mode

          Are the pfsense and snort versions the same on the system you see the vlan traffic in LAN and the system you don't?

          Promiscuous mode would make sense, but I thought previously Snort was putting the interfaces into promiscuous mode as well, even though it wasn't seeing all the traffic. I actually changed my configuration to adjust for this, so I was surprised to see it working as expected on the new system.

          I have one system available to test on, it is fully up to date (pfSense and Snort) and it is behaving as described above, running Snort on the physical interface alerts on traffic for the VLANs on that interface as well. I know that this was not the case previously, but that was probably on 2.2.6 and with a previous version of Snort.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.