|
|||
PF + SNORT on one machine
I use OpenBSD 4.3 for my home NAT/firewall. I recently installed SNORT 2.8.0.1 on the same machine. According to the SNORT website FAQ, SNORT will see all packets on the external interface even if PF blocks them. This seems to not be the case for OpenBSD. Does anyone know why SNORT cannot see packets that PF blocks when both PF and SNORT are operating on the same external interface? I want to see scans and other activity in the SNORT alert log even if PF blocked those packets.
|
|
||||
It's been years since I have used Snort on OpenBSD, so I cannot provide up-to-date knowledge... but from fading memory, it seems that you should be able to analyze logged information from the pflog(4) device or from pflogd(8) logfiles.
To log traffic, be sure to add the log option to each filter rule you are interested in, either passed or blocked. As to why blocked NIC traffic is blocked from Snort? My best guess: Snort is a userland application; PF is part of the kernel. PF prevents userland processes from seeing blocked traffic. Last edited by jggimi; 24th September 2008 at 11:05 PM. |
|
|||
Thanks for the reply. snort can no longer read the pflog interface without some patch. Seems OBSD added some headers or some such in recent versions which causes snort to choke. I understand what you said about PF being in the kernel as well it's just that the snort team claims otherwise and I wanted to know if anyone else was doing it. o well.
|
|
|||
Yop!
I don't know if you need help anymore but in case...! You have to log your rules (have a look on the pf faq for logging!) and after that use -i option in snort for listening on the IF that pf log to!(maybe pflog) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How to install FreeBasic on my FreeBSD machine | shakky4711 | FreeBSD Ports and Packages | 0 | 22nd July 2009 12:09 PM |
Networking on virtual machine | satimis | General software and network | 4 | 29th November 2008 02:16 PM |
USB support in virtual machine? | Sunnz | OpenBSD Packages and Ports | 2 | 16th November 2008 04:00 AM |
Forward SSH from some port to some other machine | starbuck | Other BSD and UNIX/UNIX-like | 10 | 18th September 2008 04:40 AM |
snort install error | ijk | FreeBSD Installation and Upgrading | 1 | 11th August 2008 10:53 AM |