![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Snort dont understand pf (openbsd) format
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 30 Nov 2004 11:34:39 -0500
At 01:15 AM 11/30/2004, Sean Brown wrote:
While originally the post was about reading it on Linux, I have only ever tried it on OpenBSD and it has never worked for me, neither reading the log file nor attaching to /dev/pflog0 and so I added that I do not believe it is working. In fact, I just tried it again with a config I know that works and it still does not work.
Hmm.. from looking at the snort code, snort is using the old pf log header format, not the current one..
I'm not sure which version of OpenBSD changed the format, but there is a new and an old format in OpenBSD 3.5's if_pflog.h. Snort's handling code matches the old format.
Looks like snort needs an update to support modern pf formats. Snort 2.2.0 and 2.3.0rc1 decode.h: typedef struct _Pflog_hdr { u_int32_t af; char intf[IFNAMSIZ]; short rule; u_short reason; u_short action; u_short dir; } PflogHdr; OpenBSD: struct pfloghdr { u_int8_t length; sa_family_t af; u_int8_t action; u_int8_t reason; char ifname[IFNAMSIZ]; char ruleset[PFLOG_RULESET_NAME_SIZE]; u_int32_t rulenr; u_int32_t subrulenr; u_int8_t dir; u_int8_t pad[3]; }; /* XXX remove later when old format logs are no longer needed */ struct old_pfloghdr { u_int32_t af; char ifname[IFNAMSIZ]; short rnr; u_short reason; u_short action; u_short dir; }; ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort dont understand pf (openbsd) format Breno Leitão (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
- Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
- Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 30)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 30)
- Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Nov 30)
- Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 30)
- Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Dec 01)
- Re: Snort dont understand pf (openbsd) format Jeremy Hewlett (Dec 01)
- Re: Snort dont understand pf (openbsd) format Breno Leitão (Dec 02)
- snort patch to understand pflog (ond and new) Breno Leitão (Dec 03)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
- Re: Snort dont understand pf (openbsd) format M. Shirk (Dec 01)
- Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Dec 01)