Snort mailing list archives

Re: Snort dont understand pf (openbsd) format

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 30 Nov 2004 11:44:03 -0500

At 11:34 AM 11/30/2004, Matt Kettler wrote:

At 01:15 AM 11/30/2004, Sean Brown wrote:
While originally the post was
about reading it on Linux, I have only ever tried it on OpenBSD and it has
never worked for me, neither reading the log file nor attaching
to /dev/pflog0 and so I added that I do not believe it is working. Infact, I
just tried it again with a config I know that works and it still does not
work.
Hmm.. from looking at the snort code, snort is using the old pf log headerformat, not the current one..
I'm not sure which version of OpenBSD changed the format, but there is anew and an old format in OpenBSD 3.5's if_pflog.h. Snort's handling codematches the old format.

Did a bit of digging. snort's pflog format matches the one used by OpenBSD3.3, but not 3.4 or newer


http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.h

rev 1.7 was used in 3.3 and only has one pflog header format.

Rev 1.8 introduced the change.

It appears that the old format goes with bpf.h's datalink type DLT_OLD_PFLG(17), but the new one goes with DLT_PFLOG (117). Unfortunately, in OpenBSD3.3 the old format is DLT_PFLOG (17).

Probably need to do some weird ifdefs to properly patch snort to deal withboth old and new systems. If DLT_OLD_PFLG isn't defined, it's the onlypflog format, if it is, you can support both old and new.


Fun eh?




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.

Discover which products truly live up to the hype. Start reading now.http://productguide.itmanagersjournal.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort dont understand pf (openbsd) format Breno Leitão (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
  - Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
    - Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 29)
    - Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
    - Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 29)
    - Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 30)
    - Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 30)
    - Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Nov 30)
    - Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 30)
    - Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Dec 01)
    - Re: Snort dont understand pf (openbsd) format Jeremy Hewlett (Dec 01)
    - Re: Snort dont understand pf (openbsd) format Breno Leitão (Dec 02)
    - snort patch to understand pflog (ond and new) Breno Leitão (Dec 03)
    - Re: Snort dont understand pf (openbsd) format M. Shirk (Dec 01)
    - Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Dec 01)
  - Re: Snort dont understand pf (openbsd) format M. Shirk (Dec 01)