DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th September 2008
WeakSauceIII WeakSauceIII is offline
Port Guard
 
Join Date: May 2008
Posts: 30
Thanked 0 Times in 3 Posts
Default PF + SNORT on one machine

I use OpenBSD 4.3 for my home NAT/firewall. I recently installed SNORT 2.8.0.1 on the same machine. According to the SNORT website FAQ, SNORT will see all packets on the external interface even if PF blocks them. This seems to not be the case for OpenBSD. Does anyone know why SNORT cannot see packets that PF blocks when both PF and SNORT are operating on the same external interface? I want to see scans and other activity in the SNORT alert log even if PF blocked those packets.
Reply With Quote
  #2   (View Single Post)  
Old 24th September 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,798
Thanked 214 Times in 189 Posts
Default

It's been years since I have used Snort on OpenBSD, so I cannot provide up-to-date knowledge... but from fading memory, it seems that you should be able to analyze logged information from the pflog(4) device or from pflogd(8) logfiles.

To log traffic, be sure to add the log option to each filter rule you are interested in, either passed or blocked.

As to why blocked NIC traffic is blocked from Snort? My best guess: Snort is a userland application; PF is part of the kernel. PF prevents userland processes from seeing blocked traffic.

Last edited by jggimi; 24th September 2008 at 11:05 PM.
Reply With Quote
  #3   (View Single Post)  
Old 25th September 2008
WeakSauceIII WeakSauceIII is offline
Port Guard
 
Join Date: May 2008
Posts: 30
Thanked 0 Times in 3 Posts
Default

Thanks for the reply. snort can no longer read the pflog interface without some patch. Seems OBSD added some headers or some such in recent versions which causes snort to choke. I understand what you said about PF being in the kernel as well it's just that the snort team claims otherwise and I wanted to know if anyone else was doing it. o well.
Reply With Quote
  #4   (View Single Post)  
Old 25th September 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,798
Thanked 214 Times in 189 Posts
Default

You're best off asking on the ports@ mailing list; there are plenty of Snort users there.
Reply With Quote
  #5   (View Single Post)  
Old 16th April 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Quote:
Originally Posted by WeakSauceIII View Post
I use OpenBSD 4.3 for my home NAT/firewall. I recently installed SNORT 2.8.0.1 on the same machine. According to the SNORT website FAQ, SNORT will see all packets on the external interface even if PF blocks them. This seems to not be the case for OpenBSD. Does anyone know why SNORT cannot see packets that PF blocks when both PF and SNORT are operating on the same external interface? I want to see scans and other activity in the SNORT alert log even if PF blocked those packets.

Please post the pf.conf, in particular please show the nat/rdr's.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #6   (View Single Post)  
Old 30th July 2009
sphex sphex is offline
New User
 
Join Date: Jun 2009
Posts: 5
Thanked 0 Times in 0 Posts
Default

Yop!
I don't know if you need help anymore but in case...!
You have to log your rules (have a look on the pf faq for logging!)
and after that use -i option in snort for listening on the IF that pf log to!(maybe pflog)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to install FreeBasic on my FreeBSD machine shakky4711 FreeBSD Ports and Packages 0 22nd July 2009 12:09 PM
Networking on virtual machine satimis General software and network 4 29th November 2008 02:16 PM
USB support in virtual machine? Sunnz OpenBSD Packages and Ports 2 16th November 2008 04:00 AM
Forward SSH from some port to some other machine starbuck Other BSD and UNIX/UNIX-like 10 18th September 2008 04:40 AM
snort install error ijk FreeBSD Installation and Upgrading 1 11th August 2008 10:53 AM


All times are GMT. The time now is 04:54 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick