Suricata Legacy Mode with VLANS
-
I tried to search on this before posting but it appeared most applied to Inline mode.
I have an interface setup for LAN(ix0) and couple VLANs enabled(ix0.30/70/etc). When viewing alert logs for VLANS all of them only include their respective IP ranges associated with the VLAN. However, when I look at LAN it includes the alerts for the default IP range plus all of the VLANs. Is that normal?
If so, like a post I found on Inline IPS, there's no need to create the VLAN interfaces if the parent is going to capture all traffic.
-
You are correct. Really no need for separate VLAN interfaces because when running Suricata on the parent, it's already going to see everything running across that physical interface (so that means all the VLAN traffic on the parent physical link).
Having multiple instances per VLAN, when the VLANs all are running on the same physical parent interface, just wastes CPU and RAM resources. Doing so in Legacy Mode won't necessarily "break" anything, but it wastes resources so just run a single instance on the parent interface and put all the rules there.
-
@bmeeks Thanks. That’s what I figured but wanted to be sure it wasn’t some newbie mistake.
May move to all VLANs and not run anything on the parent interface so I can separate things more at the cost of system resources. I’m sure the over spec 7100 can handle that for my home 🤪.