[Bro] Identifying interface when running with multiple interfaces

James Lay jlay at slave-tothe-box.net
Sat Jul 26 05:37:02 PDT 2014


On Sat, 2014-07-26 at 00:32 -0400, Seth Hall wrote:
> On Jul 25, 2014, at 7:42 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> 
> > /usr/local/bin/bro --no-checksums -i eth0 -i ppp0 local
> > "Site::local_nets += { x.x.x.x/32,192.168.1.0/24 }" &
> > 
> > Is there something I can do to add a field that would let me know which
> > interface the traffic came in on?
> 
> Nope, sorry.  I would recommend running this as a cluster with two workers.  One sniffing each interface.  This is how SecurityOnion approaches this issue.
> 
>   .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> 

Thanks Seth...does clustering require using broctl?

James




More information about the Bro mailing list