Re: Snort dont understand pf (openbsd) format

[Breno Leitão <leitao () async com br>]

On Wed, Dec 01, 2004 at 03:04:02PM -0500, Jeremy Hewlett wrote:
> > Does anyone have an idea on how likely acceptance of this is? Deadline?
<snip>
> If you still need help with testing, let me know.

Jeremy, we did the patch and it seems working. Now snort could understand new
and old pflog format. I didn't test it so much, cause i don't have a lot
of openbsd logs. The old ones i found with Schubert at #openbsd
(irc.linux.org), but there are scarce.

I have some doubts about this patch:
   This patch need to run with libpcap "multi-dlt" version, if you don't
   have it, libpcap could not understand libpcap datalink(17 and 117)
   and snort gives errors. Should we detect that snort does not use a
   multi-dlt pcap and print a friendly message to the users?

   I have cut/paste the DecodeOldPflog from DecodePflog, and change some 
   thing inside it. I know this isn't a good software engineer practice, but 
   I did that because this do not change the "grinder" interface. understand!?

   I have defined DLT_OLDPFLOG as 17 in snort.c, this is crappy :-(.  any 
   suggestion are welcome.


That is it.

Thank you guys.
Cheers, 
Breno Henrique Leitão
http://lcr.icmc.usp.br
-- 
Async Open Source
+55 (16) 3361 2331
São Carlos, SP
Brazil


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users