[Bro] Identifying interface when running with multiple interfaces
James Lay
jlay at slave-tothe-box.net
Sat Jul 26 05:37:02 PDT 2014
On Sat, 2014-07-26 at 00:32 -0400, Seth Hall wrote:
> On Jul 25, 2014, at 7:42 PM, James Lay <jlay at slave-tothe-box.net> wrote:
>
> > /usr/local/bin/bro --no-checksums -i eth0 -i ppp0 local
> > "Site::local_nets += { x.x.x.x/32,192.168.1.0/24 }" &
> >
> > Is there something I can do to add a field that would let me know which
> > interface the traffic came in on?
>
> Nope, sorry. I would recommend running this as a cluster with two workers. One sniffing each interface. This is how SecurityOnion approaches this issue.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
Thanks Seth...does clustering require using broctl?
James
More information about the Bro
mailing list