[Snort-devel] Re: [Snort-users] Snort dont understand pf (openbsd) format
Christian Robottom Reis
kiko at ...2474...
Wed Dec 1 05:32:11 EST 2004
On Tue, Nov 30, 2004 at 08:11:59PM -0700, Sean Brown wrote:
> > Hmm.. from looking at the snort code, snort is using the old pf log header
> > format, not the current one..
> I thought it might be but I'm not qualified to say. Any hope of getting a fix
> in by 2.3 or is it too late for that? Is it as simple as putting the
> structure for the new log in place of the old one?
Breno and I hacked a patch for this yesterday. It's a rather crude patch
because it doesn't deal with:
- The fact that you may not have a `modern' libpcap on your system
(one that when linked to tcpdump can read a modern pf log; that's
a simple enough test -- freebsd's pftcpdump does work).
- Backwards-compatibility to old pf logs
We'd love to see it go into 2.3.x, of course -- we're relying on a
patched version of Snort for now, and that's not comfortable.
Does anyone have an idea on how likely acceptance of this is? Deadline?
We could get a cleaned up patch, of course. It would be helpful if
someone with an older OpenBSD box could provide us with a sample log so
we can try and be backwards-compatible (the header format has changed
significantly -- for instance, the address family field is now no longer
a 32-bit integer, to ntohl shouldn't be used in DecodePflog).
Christian Robottom Reis | http://async.com.br/~kiko/ | [+55 16] 3361 2331
More information about the Snort-devel