[Snort-devel] interface name reporting?

Martin Roesch roesch at ...48...
Wed Nov 22 23:35:13 EST 2000


James Hoagland wrote:
> 
> At 1:58 AM -0500 11/20/00, Martin Roesch wrote:
> >Fyodor wrote:
> >>
> >>  On Sun, Nov 19, 2000 at 06:18:21AM -0500, Joseph Nicholas Yarbrough wrote:
> >>  > Hi,
> >>  >
> >>  > We run snort on up to 4 interfaces per machine. It is needed so we can see
> >>
> >>  You're running linux and use Sebastian's patch and pass interface 'any' to
> >>  snort, right?  it's going to be hard to track down interface name
> >>since all the
> >>  data is being gathered and passed on kernel level and there's no
> >>info regarding
> >>  an interface is supplied.
> >>
> >>  The 'proper' way of implementing multiple-interfaces support is either via
> >>  fork()ing or or multithreading, I've made prototype for
> >>mulithreading in snort
> >>  code while ago and talked to guys from www.tcpdump.org, they said
> >>that making
> >>  libpcap capable to be used by threaded applications is 'planned'.
> >>:) so I have
> >>  up that idea for a while. Forking could be done quickly, but so
> >>far it makes no
> >>  sence to do that since it adds extra complicity without any additional
> >>  functionality (i.g. you can start several daemons and get the same effect).
> >>
> >>  Still if you're running multiples snort processes on multiple interfaces and
> >>  want to have it available, I think it is possible to add interface name to
> >>  Packet structure, if Marty doesn't mind such change :)
> >
> >I don't mind the change, but shouldn't it be implicit what i/f the packet came
> >in on based on what IP addresses are in the alert? :)  I think "-I" is still
> >available as a command line switch... :)
> >
> 
> Please do not make this standard.  We would then probably need to
> change the parser in SnortSnarf (again).  But if it is an option, we
> can just say it isn't supported if we didn't feel like parsing it.
> 
> (Don't mind me, it's just the stress from moving ...) :)


It's an option. :)  Try -I to get the i/f name in the alert output, it's in
CVS now.

     -Marty

-- 
Martin Roesch
roesch at ...48...
http://www.snort.org



More information about the Snort-devel mailing list