Snort VLAN limitations like Suricata
-
Does Snort have the same limitations as Suricata when it comes to VLAN interfaces? I have interfaces igc1.14, igc1.15 and igc1.16. With Suricata, you need to run it on the parent interface igc1 as netmap does not play well with logical interfaces.
Is Snort the same way? Enable on the physical interface only? -
@michmoor said in Snort VLAN limitations like Suricata:
Does Snort have the same limitations as Suricata when it comes to VLAN interfaces? I have interfaces igc1.14, igc1.15 and igc1.16. With Suricata, you need to run it on the parent interface igc1 as netmap does not play well with logical interfaces.
Is Snort the same way? Enable on the physical interface only?Yes, when using Inline IPS Mode. That's because the Inline IPS in both packages depends upon the netmap kernel device.
Snort and Suricata are pretty much identical in the manner with which they interact with the pfSense kernel and network stack. Both suffer the same netmap limitations. The only real difference between the two in terms of kernel functionality is Suricata is multithreaded whereas Snort is single threaded.
-
@bmeeks In legacy mode can/should it be run on the VLANs? (I thought it was both...)
-
@SteveITS said in Snort VLAN limitations like Suricata:
@bmeeks In legacy mode can/should it be run on the VLANs? (I thought it was both...)
It can run it on VLANs, but the default promiscuous mode makes it a moot choice. With promiscuous mode enabled it will see all the traffic from all VLANs on the physical interface anyway.
-
@bmeeks OK, that's what I thought. Carry on.
-
@bmeeks so having per clan specific rule sets is moot then if I understand correctly
-
@michmoor said in Snort VLAN limitations like Suricata:
@bmeeks so having per clan specific rule sets is moot then if I understand correctly
Yes.
-
@bmeeks copy that. Thank you sir
