[Snort-devel] interface name reporting?
fygrave at ...1...
Sun Nov 19 08:14:04 EST 2000
On Sun, Nov 19, 2000 at 06:18:21AM -0500, Joseph Nicholas Yarbrough wrote:
> We run snort on up to 4 interfaces per machine. It is needed so we can see
You're running linux and use Sebastian's patch and pass interface 'any' to
snort, right? it's going to be hard to track down interface name since all the
data is being gathered and passed on kernel level and there's no info regarding
an interface is supplied.
The 'proper' way of implementing multiple-interfaces support is either via
fork()ing or or multithreading, I've made prototype for mulithreading in snort
code while ago and talked to guys from www.tcpdump.org, they said that making
libpcap capable to be used by threaded applications is 'planned'. :) so I have
up that idea for a while. Forking could be done quickly, but so far it makes no
sence to do that since it adds extra complicity without any additional
functionality (i.g. you can start several daemons and get the same effect).
Still if you're running multiples snort processes on multiple interfaces and
want to have it available, I think it is possible to add interface name to
Packet structure, if Marty doesn't mind such change :)
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
More information about the Snort-devel