Suricata on Trunk Interface & it's VLAN Subinterfaces
-
Hello,
I'm seeing traffic from VLAN sub-interfaces showing up in the trunk interface. Is this expected behavior? It appears this traffic is sometimes showing up in both interfaces and sometimes only one (the Trunk, even when it's VLAN traffic).
I have a single WAN port and a LAN port that caries native (management) VLAN traffic and also tagged VLAN traffic. I have Suricata setup for ever interface, physical and VLAN.
WAN
LAN (Native 1)- VLAN192
- VLAN172
Example: I'll see traffic for VLAN192 interface in Suricata on LAN, but not in VLAN192.
Another Exmaple: I'll see traffic from VLAN172 on Suricata in LAN and VLAN172Any help appreciated! Thanks for this great software :)
-
Suricata puts the interface it runs on in promiscuous mode in order to see all traffic, so this would include all VLANs on a trunk. So with Suricata running on your LAN, it will see all the traffic passing through the physical LAN interface. There is an option on the INTERFACE SETTINGS tab for each interface where you can disable promiscuous mode. You can try toggling that and restarting Suricata on the interface to see if that helps separate logged traffic any better.
-
Thank you for the help. I'll try that out.
