Thread: PF + SNORT on one machine
View Single Post
  #5   (View Single Post)  
Old 16th April 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
  
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Default
Quote:
Originally Posted by WeakSauceIII View Post
I use OpenBSD 4.3 for my home NAT/firewall. I recently installed SNORT 2.8.0.1 on the same machine. According to the SNORT website FAQ, SNORT will see all packets on the external interface even if PF blocks them. This seems to not be the case for OpenBSD. Does anyone know why SNORT cannot see packets that PF blocks when both PF and SNORT are operating on the same external interface? I want to see scans and other activity in the SNORT alert log even if PF blocked those packets.

Please post the pf.conf, in particular please show the nat/rdr's.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote