[Oisf-users] Multiple listening interfaces to multiple log locations

Drew John drew.john at irmplc.com
Fri Sep 6 10:39:55 UTC 2013

Drew John

Information Security Consultancy of the Year

----- Original Message -----
From: Drew John
Sent: Friday, September 06, 2013 11:37 AM
To: 'osif.users at lists.openinfosecfoundation.org' <osif.users at lists.openinfosecfoundation.org>
Subject: Multiple listening interfaces to multiple log locations

I apologise in advance if this is the wrong place to email questions or ask for support.

I am currently trying to work out the best method to listen on multiple interfaces with suricata (latest 1.4.5).

My current setup is suricata, barnyard2,  snort mysql, custom ui.

The only way I can see this possible is via launching multiple instances of suricata.

If you listen via -i eth1 -i eth2 it creates log alerts in the same directory with the same name. Meaning there is no way for barnyard2 to tell which interface the traffic came from.

Any suggestions please?


Any advice, services and/or documentation prepared by Information Risk Management Plc. ("IRM") for any third parties are strictly private and confidential, and may also be protected by legal privilege.
This email is intended only for the use of the addressee. If you are not the intended recipient you may not copy, disclose to anyone else or otherwise use the content of this email and/or any attachment and should return them to the sender immediately and delete them from your system.
Non-business related content is not authorised by IRM and we shall not be liable for it.
Where relevant, any quotation contained within this email is exclusive of VAT at the current rate and valid for 30 days from the date of this email, unless specified to the contrary. IRM does not authorise the creation of contracts on its behalf by email.
All attachments have been scanned for viruses using regularly updated programs. IRM cannot accept liability for any damage you incur as a result of virus infection. The contents of this email reflect the opinions of the author only.
It is your responsibility to notify IRM immediately of any changes in circumstances which could render any information previously provided to be inaccurate or which would otherwise have a bearing on the advice being rendered and/or services being performed. IRM does not accept any liability for inaccuracies, errors, losses, damages, failures, any missed timelines or problems which arise as a result of you not providing accurate, complete and timely information and/or instructions.
IRM is a publicly owned company registered in England and Wales under Registration Number 03612719. A list of directors' names is available for inspection at our registered office. Information about IRM is available from www.irmplc.com.

More information about the Oisf-users mailing list