|
|
|
|
Snort Forums Archive
Archive Home » BSD » Is it possible for snort to listen on pflog?
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Is it possible for snort to listen on pflog?
Posted by michaelhunt on September 23, 2007 15:01:15
I have a working dual homed NAT firewall running OpenBSD 4.1 and PF. I am new to snort and want to get it working on my firewall. I want it to listen on pflog but I am having no success. tcpdump works fine when listening on pflog but snort does not:
# snort -v -i pflog0
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
Verifying Preprocessor Configurations!
Initializing Network Interface pflog0
OpenPcap() device pflog0 network lookup:
pflog0: no IPv4 address assigned
Decoding OpenBSD PF log on interface pflog0
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.6.0.2 (Build 85)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.
Not Using PCAP_FRAMES
Not IPv4 datagram! ([ver: 0xf][len: 0x0])
Not IPv4 datagram! ([ver: 0xf][len: 0x0])
Not IPv4 datagram! ([ver: 0xf][len: 0x0])
Not IPv4 datagram! ([ver: 0xf][len: 0x0])
^C*** Caught Int-Signal
===============================================================================
Snort received 7 packets
Analyzed: 4(57.143%)
Dropped: 0(0.000%)
Outstanding: 3(42.857%)
===============================================================================
Breakdown by protocol:
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 4 (100.000%)
===============================================================================
Action Stats:
ALERTS: 0
LOGGED: 0
PASSED: 0
===============================================================================
Snort exiting
Thanks for taking your time to help a newbie |
|
Posted by michaelhunt on September 23, 2007 17:23:48
I installed snort-2.7.0.1 from source and I experience the same thing.
I can listen on a real network interface but I need to listen to only the traffic that passes from in one interface and out the other. The only way I know how how to do that is by listening on pflog. If anybody knows of an alternative that would be great.
I've been digging around the web and found many people have tried to do this. Some have gotten it to work by writing their own patches which I don't have the skills to do. It seems this hasn't been supported for years. Are there plans to add support for this in the future? Does anybody know of a source patch?
Regards,
Michael Huntington |
|
Posted by michaelhunt on September 23, 2007 17:39:23
I installed snort-2.7.0.1 from source and I experience the same thing.
I can listen on a real network interface but I need to listen to only the traffic that passes from in one interface and out the other. The only way I know how how to do that is by listening on pflog. If anybody knows of an alternative that would be great.
I've been digging around the web and found many people have tried to do this. Some have gotten it to work by writing their own patches which I don't have the skills to do. It seems this hasn't been supported for years. Are there plans to add support for this in the future? Does anybody know of a source patch?
Regards,
Michael Huntington |
|
Posted by AleZ on October 22, 2007 15:33:30
look here:
http://www.snort.org/reg-bin/forums.cgi?forum_id=4&topic_id=3712 |
|
|
|
|
|
