Re: monitoring pflog0 on obsd

[Mark Nipper <nipsy () tamu edu>]

On 08 Oct 2003, MH wrote:
> When you monitor pflogd, you use tcpdump.
>
> tcpdump -ni pflog0
>
> You will see a warning about an ip address not being 
> assigned, that's normal because there isn't. :)

        He should be able to use anything that reads raw network
streams, which snort is capable of doing just like tcpdump.
Ultimately, I just think his snort is not seeing packets which
cause any alerts.  There is no intrinsic connection between
OpenBSD's pf and snort, so just because the firewall drops a
packet doesn't mean snort will generate an alert.

-- 
Mark Nipper                                                e-contacts:
Computing and Information Services                      nipsy () tamu edu
Texas A&M University                        http://ops.tamu.edu/nipsy/
College Station, TX 77843-3142     AIM/Yahoo: texasnipsy ICQ: 66971617
(979)575-3193                                      MSN: nipsy () tamu edu

-----BEGIN GEEK CODE BLOCK-----
GG/IT d- s++:+ a- C++$ UBL+++$ P--->+++ L+++$ E---
W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+
PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**)
------END GEEK CODE BLOCK------

---begin random quote of the moment---
"Never underestimate the bandwidth of a station wagon filled with
magtape, or a 747 filled with CD-ROMs."
 -- from the Jargon File's definition of sneakernet
----end random quote of the moment----


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users