[Snort-devel] interface name reporting?

Joseph Nicholas Yarbrough nyarbrough at ...118...
Sun Nov 19 06:18:21 EST 2000


Hi,

We run snort on up to 4 interfaces per machine. It is needed so we can see 
what interface it came from. (ie. private addresses coming from the outside 
would be important.) The reasons we need to see this is endless. I wanted to 
keep it out of the output plugin if at all possible. In actuallity, I'm not 
sure if an output plugin has access to the name of the interface the packet 
came accross or not.

-Nick

On Sunday 19 November 2000 07:11, you wrote:
> On Sat, Nov 18, 2000 at 04:39:41AM -0500, Joseph Nicholas Yarbrough wrote:
> > Hello all,
> >
> > I was wondering if there is a method to have snort append the interface
> > name (that the traffic that triggered the alert came from) to the alert.
> > Would I
>
> I don't know if you really need this. So far Snort is able to run only on a
> single interface per process, so I doubt that having an interface name in
> logfile could make any sence. it could be added easily if needed but imho
> would be overkill :)
>
> Any other opinions? :)



More information about the Snort-devel mailing list