[Snort-users] Snort dont understand pf (openbsd) format

Matt Kettler mkettler at ...4108...
Mon Nov 29 15:30:00 EST 2004


At 06:09 PM 11/29/2004, Breno Leitão wrote:
>leitao at ...12726...:~/snort/snort-2.3.0RC1/src$ ./snort -c snort.conf -l /tmp -r 
>~/tmp/pflog.2

<snip>

>     What is wrong with that? Does snort understand the pf log format?

No, snort doesn't understand any textual log formats at all, including pf.

The manpage is pretty clear about what kind of format -r expects. It 
expects a tcpdump format file.

It also doesn't expect a copy of tcpdump's text-mode output, it expects a 
tcpdump capture file generated with tcpdump -w. Such files are binary 
files, not text. They are more-or-less a capture of the packets in their 
raw format, just dumped to disk instead of in memory, so it's pretty easy 
for snort to parse.

Reconstructing a packet from an ascii mode logfile is a considerable feat, 
if it's even possible (not all log formats dump the entire packet contents, 
does PF?)

 From the snort manpage:

        -r tcpdump-file
               Read the tcpdump-formatted file tcpdump-file.  This
               will  cause  Snort to read and process the file fed
               to it.  This is useful if, for instance, you've got
               a  bunch  of  SHADOW files that you want to process
               for content, or even  if  you've  got  a  bunch  of
               reassembled  packet fragments which have been writ-
               ten into a tcpdump formatted file.







More information about the Snort-users mailing list