4. Suricata on Trunk Interface & it's VLAN Subinterfaces

Suricata on Trunk Interface & it's VLAN Subinterfaces

  • F

    Hello,

    I'm seeing traffic from VLAN sub-interfaces showing up in the trunk interface. Is this expected behavior? It appears this traffic is sometimes showing up in both interfaces and sometimes only one (the Trunk, even when it's VLAN traffic).

    I have a single WAN port and a LAN port that caries native (management) VLAN traffic and also tagged VLAN traffic. I have Suricata setup for ever interface, physical and VLAN.

    WAN
    LAN (Native 1)

    • VLAN192
    • VLAN172

    Example: I'll see traffic for VLAN192 interface in Suricata on LAN, but not in VLAN192.
    Another Exmaple: I'll see traffic from VLAN172 on Suricata in LAN and VLAN172

    Any help appreciated! Thanks for this great software :)

    0

  • Suricata puts the interface it runs on in promiscuous mode in order to see all traffic, so this would include all VLANs on a trunk. So with Suricata running on your LAN, it will see all the traffic passing through the physical LAN interface. There is an option on the INTERFACE SETTINGS tab for each interface where you can disable promiscuous mode. You can try toggling that and restarting Suricata on the interface to see if that helps separate logged traffic any better.

    0
  • F

    Thank you for the help. I'll try that out.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy