[Snort-devel] interface name reporting?
hoagland at ...60...
Mon Nov 20 21:26:22 EST 2000
At 1:58 AM -0500 11/20/00, Martin Roesch wrote:
>> On Sun, Nov 19, 2000 at 06:18:21AM -0500, Joseph Nicholas Yarbrough wrote:
>> > Hi,
>> > We run snort on up to 4 interfaces per machine. It is needed so we can see
>> You're running linux and use Sebastian's patch and pass interface 'any' to
>> snort, right? it's going to be hard to track down interface name
>>since all the
>> data is being gathered and passed on kernel level and there's no
>> an interface is supplied.
>> The 'proper' way of implementing multiple-interfaces support is either via
>> fork()ing or or multithreading, I've made prototype for
>>mulithreading in snort
>> code while ago and talked to guys from www.tcpdump.org, they said
>> libpcap capable to be used by threaded applications is 'planned'.
>>:) so I have
>> up that idea for a while. Forking could be done quickly, but so
>>far it makes no
>> sence to do that since it adds extra complicity without any additional
>> functionality (i.g. you can start several daemons and get the same effect).
>> Still if you're running multiples snort processes on multiple interfaces and
>> want to have it available, I think it is possible to add interface name to
>> Packet structure, if Marty doesn't mind such change :)
>I don't mind the change, but shouldn't it be implicit what i/f the packet came
>in on based on what IP addresses are in the alert? :) I think "-I" is still
>available as a command line switch... :)
Please do not make this standard. We would then probably need to
change the parser in SnortSnarf (again). But if it is an option, we
can just say it isn't supported if we didn't feel like parsing it.
(Don't mind me, it's just the stress from moving ...) :)
|* Jim Hoagland, Associate Researcher, Silicon Defense *|
|* hoagland at ...60... *|
|* http://www.silicondefense.com/ *|
|* Voice: (707) 445-4355 x13 Fax: (707) 445-4222 *|
More information about the Snort-devel