[Snort-devel] interface name reporting?

Martin Roesch roesch at ...48...
Mon Nov 20 01:58:26 EST 2000


Fyodor wrote:
> 
> On Sun, Nov 19, 2000 at 06:18:21AM -0500, Joseph Nicholas Yarbrough wrote:
> > Hi,
> >
> > We run snort on up to 4 interfaces per machine. It is needed so we can see
> 
> You're running linux and use Sebastian's patch and pass interface 'any' to
> snort, right?  it's going to be hard to track down interface name since all the
> data is being gathered and passed on kernel level and there's no info regarding
> an interface is supplied.
> 
> The 'proper' way of implementing multiple-interfaces support is either via
> fork()ing or or multithreading, I've made prototype for mulithreading in snort
> code while ago and talked to guys from www.tcpdump.org, they said that making
> libpcap capable to be used by threaded applications is 'planned'. :) so I have
> up that idea for a while. Forking could be done quickly, but so far it makes no
> sence to do that since it adds extra complicity without any additional
> functionality (i.g. you can start several daemons and get the same effect).
> 
> Still if you're running multiples snort processes on multiple interfaces and
> want to have it available, I think it is possible to add interface name to
> Packet structure, if Marty doesn't mind such change :)

I don't mind the change, but shouldn't it be implicit what i/f the packet came
in on based on what IP addresses are in the alert? :)  I think "-I" is still
available as a command line switch... :)

    -Marty


-- 
Martin Roesch
roesch at ...48...
http://www.snort.org



More information about the Snort-devel mailing list