[Snort-users] Snort dont understand pf (openbsd) format

Sean Brown sblinux at ...9344...
Mon Nov 29 22:17:01 EST 2004

On November 29, 2004 8:16 pm, Matt Kettler wrote:
> At 08:52 PM 11/29/2004, Sean Brown wrote:
> > > It's unclear if OpenBSD generates real tcpdump files that any ordinary
> > > tcpdump can read, or if they patched tcpdump to support them.
> >
> >It doesn't, it is a modified format that the tcpdump in OpenBSD was
> >patched to
> >read. However, in the FAQ:
> >
> >4.4 Does snort see packets filtered by IPTables/IPChains/IPF/PF?
> >...
> >Under OpenBSD you can snort just the PF rejects by using the /dev/pflogN
> >interface.
> >
> >Since pflogd simply writes the traffic from pflog, snort should be able to
> >understand the log file, but I have tried to have it read the file and
> >attached it to /dev/pflog0 and it does not understand the traffic. Perhaps
> >the output format changed in one of the recent OpenBSD releases and Snort
> > was never updated. If so, the FAQ needs to be fixed.
> Since so many people are responding off list, I'll take a chance to respond
> on-list.
> Summary - snort does support PF format log files via -r and pflog devices
> via -i.
> However, it only supports said format on a system which has a
> libpcap/tcpdump version that is PF aware. If bpf.h doesn't define the PF
> datalink type, snort will not handle pf files or devices and will generate
> errors if fed them.
> The PF log format is an extension of the list of data link formats
> available to pcap, and has been merged to the main tree. The PF "data link"
> adds a header that defines things like what happened to the packet and what
> ruleset is responsible.
> Newer releases of libpcap and tcpdump include support for this format,
> older ones don't.
> The Breno is running snort on a Linux box, and is trying to parse files
> gathered from an OpenBSD box. It appears that some Linux distros include
> the newer releases, others don't. It appears that Breno's Linux box has a
> non-pf-aware version of libpcap/tcpdump. Since snort can't find the defines
> it needs when built on such a system, PF support disappears. Running pf
> files in generates an unknown data link type error as a result.
> As an aside, the FAQ entry is semi-irrelevant to this thread. That faq is
> about using snort to listen pflog DEVICES using snort -i /dev/pflog0, not
> parse pflog FILES via snort -r /var/log/pflog. Two totally different
> things.
I mentioned the FAQ because its the only place I know of in Snorts docs that 
mention pf.

Saying the log file and /dev/pflog0 are two different things is like saying 
the information coming down the wire is different then a tcpdump 
file. /var/log/pflog is the saved output of /dev/pflogN, the only difference 
between them is /dev/pflogN would have the data coming in as pf rejects it. 
If snort can read /dev/pflogN then it can read /var/log/pflog, assuming of 
course the rest of the requirements are filled. While originally the post was 
about reading it on Linux, I have only ever tried it on OpenBSD and it has 
never worked for me, neither reading the log file nor attaching 
to /dev/pflog0 and so I added that I do not believe it is working. In fact, I 
just tried it again with a config I know that works and it still does not 

The last time I asked about this, the only response I got was a kind, why 
would you do something so stupid.

snort -i pflog0 (really quick nessus scan, didn't wait for the whole thing)

Snort analyzed 12 out of 12 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 0          (0.000%)          ALERTS: 0
    UDP: 0          (0.000%)          LOGGED: 0
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 12         (100.000%)
DISCARD: 0          (0.000%)

snort -r /var/log/pflog
Snort processed 1100 packets.
Breakdown by protocol:                Action Stats:

    TCP: 0          (0.000%)          ALERTS: 0
    UDP: 0          (0.000%)          LOGGED: 0
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 1100       (100.000%)

More information about the Snort-users mailing list