Snort mailing list archives
Re: monitoring pflog0 on obsd
From: Shawn Posthumus <posthums () yahoo com>
Date: Wed, 8 Oct 2003 17:04:31 -0700 (PDT)
Hmm, this could definately be the case.. I havnt changed the defaults for the snaplen. Thanks. Shawn --- MH <procana () insight rr com> wrote:
Hi Shawn, One thing to point out is that pflogd has a snaplen of 96 by default. You are not capturing enough of the packet to trip your snort rules. Reset pflogd to a snaplen of 1500. Hope this helps, Mike On Wed, Oct 08, 2003 at 03:41:31PM -0700, Shawn Posthumus wrote:--- MH <procana () insight rr com> wrote:Hi Shawn, When you monitor pflogd, you use tcpdump. tcpdump -ni pflog0 You will see a warning about an ip address not being assigned, that's normal because there isn't. :) Hope this helps, MikeI realize this. But the snort faq states the following:In general it sees everything the network adapter driver sees before the network stack munges it. Linux IPTables, Linux IPChains, BSD PF and IPFandother packet filters do not prevent snort from seeing a packet that is present on the network wire. Even if an inbound packet is denied by the packet filter Snort willstillsee >>>and analyze the packet if it is listening to that interface.Snort/pcapsees >>>whatever comes out of or goes into the network adapter.... ... Under OpenBSD you can snort just the PF rejects by using the /dev/pflogN interface.In this case I should be able to pick up the attacks pf dropped by snort.Froma remote box I ran port scans and simple web based attacks that I knewsnort isconfigured for, but its not alerting, while tcpdump -netttr /var/log/pflog shows everything. I am now currently trying snort on my $ext_if, since the above section onfaqsays that if snort and firewall are on same machine, it can pick up anypacketon the wire before pf takes action. Shawn __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- monitoring pflog0 on obsd Shawn Posthumus (Oct 08)
- Re: monitoring pflog0 on obsd Mark Nipper (Oct 08)
- Re: monitoring pflog0 on obsd MH (Oct 08)
- Re: monitoring pflog0 on obsd Mark Nipper (Oct 08)
- Message not available
- Re: monitoring pflog0 on obsd MH (Oct 08)
- Re: monitoring pflog0 on obsd Shawn Posthumus (Oct 08)