Snort in IPS running on vlan and parent interfaces?
I have snort running on my vlans and the vlan parent interface. I suppressed the false alerts in my vlans…the traffic gets thru...no problems.
It is my understanding that snort runs in a "permiscuos" way and will trigger alerts in the parent interface. I have not suppressed anything in the parent interface.
I am seeing alerts on the parent interface that were triggered by clients on my vlans(e.g. Skype alert)...I am not seeing the alert on my vlan interface.
I am concerned snort is not blocking appropriately or it is??? Can any one provide any thoughts on how this should alert with vlans? Is there something I should be doing different?
I believe snort works on what interface you set it and what rules you apply on those interface.