I haven’t seen any HOWTOs yet on how to use the feature of dividing up your network into multiple snort configuration files (Virtual Networks?). I have tried this on my sensors and it works great.
Before, one would solve the problem by firing up multiple instances of snort, each with their own sets of options/arguments. Now we only start one instance of snort with a default snort config, and including config files for each IP, IP-range or VLAN that one would like to monitor. The default snort config file is used as a fall-back if the traffic is not matched in one of the virtual configs.
config binding: /etc/snort/vips/snort-0.conf net 192.168.0.0/24
config binding: /etc/snort/vips/snort-1.conf net 192.168.1.0/24
config binding: /etc/snort/vips/snort-2.conf net 192.168.2.0/24
config binding: /etc/snort/vips/snort-3.conf vlan 1337
So, you have a default /etc/snort/snort.conf and configure that as a fall-back configuration (Catch all traffic not handled by your virtual configs) and then add the statements above. You can then configure snort-0.conf, snort-1.conf, snort-2.conf and snort-3.conf to handle their respective traffic (Variables, rules, preprocessors etc).
In this case, if you have:
192.168.0.0/24 on eth1
192.168.1.0/24 on eth2
192.168.2.0/24 on eth3
vlan 1337 on eth4
you would need to bond them together and have snort listen on the bonded interface.
My gut feelings are that there are some performance and memory benefits firing up one instance of snort configured with virtual-networks, then firing up X instances of snort, but I have not done any tests.
Read more in the README.multipleconfigs in the doc/ directory of the Snort Tarball.
*I would like to hear thoughts from other playing with this feature*