Identifying interface when running with multiple interfaces

James_Lay · July 25, 2014, 11:42pm

Hey all,

So I run bro with:

/usr/local/bin/bro --no-checksums -i eth0 -i ppp0 local
"Site::local_nets += { x.x.x.x/32,192.168.1.0/24 }" &

Is there something I can do to add a field that would let me know which
interface the traffic came in on? Obviously in this example it's pretty
simple...private IP space will be on eth0 whereas public will be on
ppp0. I am thinking of scenarios where there might be the same IP space
on several interfaces. Thanks for any guidance.

James

Seth_Hall3 · July 26, 2014, 4:32am

Nope, sorry. I would recommend running this as a cluster with two workers. One sniffing each interface. This is how SecurityOnion approaches this issue.

.Seth

James_Lay · July 26, 2014, 12:37pm

Thanks Seth...does clustering require using broctl?

James

Topic		Replies	Views
Question about listening on multiple interfaces Zeek	3	103	May 6, 2022
Multiple interfaces on 2.2-beta-4 Zeek	8	174	May 6, 2022
On Bro's configuration file Zeek	1	55	May 6, 2022
problem of multi-interface monitor? Zeek	1	54	May 6, 2022
Interface Removed From Config but Keeps Monitoring Traffic Zeek	3	70	May 6, 2022

Identifying interface when running with multiple interfaces

Related Topics