[Snort-users] Snort dont understand pf (openbsd) format

Matt Kettler mkettler at ...4108...
Mon Nov 29 16:08:04 EST 2004


At 06:27 PM 11/29/2004, Matt Kettler wrote:
> >     What is wrong with that? Does snort understand the pf log format?
>
>No, snort doesn't understand any textual log formats at all, including pf.

Self correction.. pflogd generates tcpdump binary files. So, theoretically, 
it should work with snort -r.

My mistake entirely.

However, looking around, pflogd files aren't exactly tcpdump files.. they 
have (or at least had) a "pftcpdump" to read them in freebsd:

http://lists.freebsd.org/pipermail/freebsd-current/2004-August/035814.html

http://lists.sans.org/pipermail/list/2004-November/062633.html

It's unclear if OpenBSD generates real tcpdump files that any ordinary 
tcpdump can read, or if they patched tcpdump to support them.





More information about the Snort-users mailing list