[Snort-devel] interface name reporting?
roesch at ...48...
Wed Nov 22 23:35:13 EST 2000
James Hoagland wrote:
> At 1:58 AM -0500 11/20/00, Martin Roesch wrote:
> >Fyodor wrote:
> >> On Sun, Nov 19, 2000 at 06:18:21AM -0500, Joseph Nicholas Yarbrough wrote:
> >> > Hi,
> >> >
> >> > We run snort on up to 4 interfaces per machine. It is needed so we can see
> >> You're running linux and use Sebastian's patch and pass interface 'any' to
> >> snort, right? it's going to be hard to track down interface name
> >>since all the
> >> data is being gathered and passed on kernel level and there's no
> >>info regarding
> >> an interface is supplied.
> >> The 'proper' way of implementing multiple-interfaces support is either via
> >> fork()ing or or multithreading, I've made prototype for
> >>mulithreading in snort
> >> code while ago and talked to guys from www.tcpdump.org, they said
> >>that making
> >> libpcap capable to be used by threaded applications is 'planned'.
> >>:) so I have
> >> up that idea for a while. Forking could be done quickly, but so
> >>far it makes no
> >> sence to do that since it adds extra complicity without any additional
> >> functionality (i.g. you can start several daemons and get the same effect).
> >> Still if you're running multiples snort processes on multiple interfaces and
> >> want to have it available, I think it is possible to add interface name to
> >> Packet structure, if Marty doesn't mind such change :)
> >I don't mind the change, but shouldn't it be implicit what i/f the packet came
> >in on based on what IP addresses are in the alert? :) I think "-I" is still
> >available as a command line switch... :)
> Please do not make this standard. We would then probably need to
> change the parser in SnortSnarf (again). But if it is an option, we
> can just say it isn't supported if we didn't feel like parsing it.
> (Don't mind me, it's just the stress from moving ...) :)
It's an option. :) Try -I to get the i/f name in the alert output, it's in
roesch at ...48...
More information about the Snort-devel