To obtain a wider range of results, you could apply three methods:
a) a single Snort instance for all three VLANs together
b) separate Snort instances for each VLANs
c) a separate Snort instance for the physical interface on the server, for example:
Snort > Eth0 interface < physical
Finally, you can purge the different logs and analyze which of the three methods yields the best results.
Think too about the algorithms from snort interfaces
For example: aho-corasick (oe-ac)
-----------------------><-----------------------
Victor Guillen
Networking, Unix & Unix-Like
Network infrastructure
:~$
Mar 5, 2026, 15:25 by snort-users@lists.snort.org:
Hello everyone!
I am new to Snort 3 and we are preparing to build Snort Servers to monitor a few different VLANs that are on their own network interface. We will have this same setup at about 3 other sites and that data will be sent to a Wazuh server.
When configuring snort 3 to passively monitor each network interface/VLAN, should we run one instance of snort and have it monitor the three different VLANs, or should we have a separate instance for each VLAN?
- Computer Services - Information Security Specialist
- Phone: 660-263-4100 x11348
- Email: orenk@macc.edu