Do I need to Add snort interfaces for all vlans or just the parent interfaces ? I've install snort on my XG-7100 and I've configure snort interfaces my two interface + 1 parent Lan interfaces

  • from my understanding, if you want snort for the vlan, you have to add it to the vlan. i have two physical interfaces in use, with a 'vlan interface' as a third. WAN, LAN, OPT1. OPT1 for me, has a different subnet than LAN, but goes through LAN interface (to switch where i also had to add vlan settings - ubq switch). in order for me to monitor the vlan, i had to add the interface for the vlan, as traffic for the vlan didn't go through 'LAN' interface, at least not in the same fashion. someone obviously please correct me if im wrong here hope this helps?

  • I have 16 vlans and still planning to add more and I'm not sure if my XG-7100 can handle snort running for these vlans. For now I've setup snort interfaces two wan interfaces + 1 lan interfaces.

  • I can't speak for the 7100, I built my own and use Community, however, I have wan lan and guest vlan interfaces set up, with snort and pfblockerng (even open VPN) on an old gaming PC that has a quad core i7, 8gb ram.

    Ram usage easily 50% with tld checkbox active as well highest percentage I've seen so far is 65% memory usage, and at most 15% CPU usage (spikes - avg is less than 8%)

    That, granted is only supporting at most 15 devices at any given time. It also is an asymmetrical gigabit connection 935/40 (cable) and does not slow down even over internal VPN connection (realized I needed to set up lagg afterwards as VPN maxes at 500 - gigabit one way sliced in half when back and forth on same interface). I assume separate up and down links to my managed switch would also help accomplish this.

