Re: monitoring pflog0 on obsd

[Mark Nipper <nipsy () tamu edu>]

On 08 Oct 2003, Shawn Posthumus wrote:
> Hi, I noticed in the FAQ that it is possible to monitor anything pf drops by
> using the pflog0 on openbsd.  I ran snort as   snort -i pflog0 -l /snort -c
> /etc/snort/snort.conf -D -U but I do not appear to be picking anything up, even
> though the pf logs show the attacks.  I was wondering if anyone had any ideas
> of what I am doing wrong.  Thanks.

        Does your current snort configuration see the attacks if
you use '-i eth_if' where eth_if is your actual ethernet
interface instead of pf's logging interface?

        I assume the packets coming from pflog0 are not enough to
trigger your snort alerts currently or that you have no alerts
defined in snort which even trigger off the packets being seen on
pflog0.  A simple way to test that theory though is to run snort
on the external interface and see what happens since you'll see
all packets coming across the wire before pf dispatches them
accordingly.

-- 
Mark Nipper                                                e-contacts:
Computing and Information Services                      nipsy () tamu edu
Texas A&M University                        http://ops.tamu.edu/nipsy/
College Station, TX 77843-3142     AIM/Yahoo: texasnipsy ICQ: 66971617
(979)575-3193                                      MSN: nipsy () tamu edu

-----BEGIN GEEK CODE BLOCK-----
GG/IT d- s++:+ a- C++$ UBL+++$ P--->+++ L+++$ E---
W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+
PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**)
------END GEEK CODE BLOCK------

---begin random quote of the moment---
"I love that you get cold when it's 71 degrees out.  I love
that it takes you an hour and a half to order a sandwich.  I
love that you get a little crinkle above your nose when
you're looking at me like I'm nuts.  I love that after I
spend a day with you, I can still smell your perfume on my
clothes.  And I love that you are the last person I want to
talk to before I go to sleep at night.  And it's not because
I'm lonely, and it's not because it's New Year's Eve.  I
came here tonight because when you realize you want to spend
the rest of your life with somebody, you want the rest of
your life to start as soon as possible.

 -- Harry Burns from "When Harry Met Sally", 1989
----end random quote of the moment----


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users