[Snort-users] Snort dont understand pf (openbsd) format

Breno Leitão leitao at ...12725...
Mon Nov 29 15:10:09 EST 2004

Hello guys, 
    For weeks i am trying to use snort with pf (OpenBSD) logs in linux, but
    it didn't work. I broke my nose doing it. :(
    I use snort-2.3.0RC1, on 2.4.28 kernel. When i try to use it, an error
    occurs, see it: 

leitao at ...12726...:~/snort/snort-2.3.0RC1/src$ cat snort.conf 
log ip any -> any (msg: "Normal Logged Traffic"; \
                                       priority: 0;)

leitao at ...12726...:~/snort/snort-2.3.0RC1/src$ ./snort -c snort.conf -l /tmp -r ~/tmp/pflog.2 
Running in IDS mode
Log directory = /tmp
TCPDUMP file reading mode.
Reading network traffic from "/home/leitao/tmp/pflog.2" file.
snaplen = 1500
ERROR: OpenPcap() FSM compilation failed: 
        unknown data link type 117
PCAP command: (null)
Fatal Error, Quitting..

    What is wrong with that? Does snort understand the pf log format? 

Any suggestion will be welcome.

Thank you,
Breno Leitão
Async Open Source
(16) 3361 2331
São Carlos, SP

More information about the Snort-users mailing list