[Snort-devel] Re: [Snort-users] Snort dont understand pf (openbsd) format

Christian Robottom Reis kiko at ...2474...
Wed Dec 1 05:32:11 EST 2004


On Tue, Nov 30, 2004 at 08:11:59PM -0700, Sean Brown wrote:
> > Hmm.. from looking at the snort code, snort is using the old pf log header
> > format, not the current one..
> I thought it might be but I'm not qualified to say. Any hope of getting a fix 
> in by 2.3 or is it too late for that? Is it as simple as putting the 
> structure for the new log in place of the old one?

Breno and I hacked a patch for this yesterday. It's a rather crude patch
because it doesn't deal with:

    - The fact that you may not have a `modern' libpcap on your system
      (one that when linked to tcpdump can read a modern pf log; that's
      a simple enough test -- freebsd's pftcpdump does work).

    - Backwards-compatibility to old pf logs

We'd love to see it go into 2.3.x, of course -- we're relying on a
patched version of Snort for now, and that's not comfortable.

Does anyone have an idea on how likely acceptance of this is? Deadline?
We could get a cleaned up patch, of course. It would be helpful if
someone with an older OpenBSD box could provide us with a sample log so
we can try and be backwards-compatible (the header format has changed
significantly -- for instance, the address family field is now no longer
a 32-bit integer, to ntohl shouldn't be used in DecodePflog).

Take care,
--
Christian Robottom Reis | http://async.com.br/~kiko/ | [+55 16] 3361 2331




More information about the Snort-devel mailing list