[Bro] Identifying interface when running with multiple interfaces

Seth Hall seth at icir.org
Fri Jul 25 21:32:27 PDT 2014


On Jul 25, 2014, at 7:42 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> /usr/local/bin/bro --no-checksums -i eth0 -i ppp0 local
> "Site::local_nets += { x.x.x.x/32,192.168.1.0/24 }" &
> 
> Is there something I can do to add a field that would let me know which
> interface the traffic came in on?

Nope, sorry.  I would recommend running this as a cluster with two workers.  One sniffing each interface.  This is how SecurityOnion approaches this issue.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140726/f53a9c26/attachment.bin 


More information about the Bro mailing list