[Snort-users] Snort dont understand pf (openbsd) format

Matt Kettler mkettler at ...4108...
Tue Nov 30 08:36:08 EST 2004

At 01:15 AM 11/30/2004, Sean Brown wrote:
>While originally the post was
>about reading it on Linux, I have only ever tried it on OpenBSD and it has
>never worked for me, neither reading the log file nor attaching
>to /dev/pflog0 and so I added that I do not believe it is working. In fact, I
>just tried it again with a config I know that works and it still does not

Hmm.. from looking at the snort code, snort is using the old pf log header 
format, not the current one..

I'm not sure which version of OpenBSD changed the format, but there is a 
new and an old format in OpenBSD 3.5's if_pflog.h. Snort's handling code 
matches the old format.

Looks like snort needs an update to support modern pf formats.

Snort 2.2.0 and 2.3.0rc1 decode.h:

typedef struct _Pflog_hdr
     u_int32_t af;
     char intf[IFNAMSIZ];
     short rule;
     u_short reason;
     u_short action;
     u_short dir;
} PflogHdr;


struct pfloghdr {
         u_int8_t        length;
         sa_family_t        af;
         u_int8_t        action;
         u_int8_t        reason;
         char                ifname[IFNAMSIZ];
         char                ruleset[PFLOG_RULESET_NAME_SIZE];
         u_int32_t        rulenr;
         u_int32_t        subrulenr;
         u_int8_t        dir;
         u_int8_t        pad[3];

/* XXX remove later when old format logs are no longer needed */
struct old_pfloghdr {
         u_int32_t af;
         char ifname[IFNAMSIZ];
         short rnr;
         u_short reason;
         u_short action;
         u_short dir;

