Snort alerts on LAN caused by VLANs traffic (LAN is parent interface)?



  • I have 3 VLAN, each with their own SSID on my Unifi AP, Connected thru a managed switch. Each of my VLANs has the LAN as the parent interface. I also have the Unifi AP exclusively assigned to the LAN with a SSID so I can access the Unifi AP with my computer/controller. Each SSID has its own corresponding VLAN IP, all with seperate interfaces.

    I have snort interfaces set up and being monitored with different rules on each VLAN, the LAN, the WAN and the PIAVPN(Priv. Internet Access provider) interface.

    I have been monitoring the rules for false positives over the course of a few days…

    Recently however I have noticed snort alerts on my LAN triggered from traffic on my VLANs? They are false alerts (SID 120:3 and 137:1).

    I thought that the VLANs were isolated? Why would I see traffic and alerts on my LAN for isolated traffic started via my VLANs? The alerts are “Source IPs”, external IPs(port 80 mostly), "destination IPs" are my fixed VLAN device Ips?

    Trying to trouble shoot if my rules are not correct or if it is normal for parent interface to get VLAN snort alerts?

    Any feedback would be greatly appreciated… :o

    (PS I read a lot of forum comments regarding Snort on LAN vs WAN ports...wanted to understand my traffic so I am running on both)



  • Snort puts the interface it runs on in promiscuous mode, so this means it sees everything.  Snort uses libpcap to grab copies of the packets as they fly through the interface.  Snort is also positioned within the packet chain in such a way as to see data before the VLAN routing is applied.  So since the VLANs reside on your physical LAN interface, Snort is seeing the traffic as just coming from the LAN.

    Bill



  • Thanks Bill!


Log in to reply