[Snort-users] Snort dont understand pf (openbsd) format

Matt Kettler mkettler at ...4108...
Tue Nov 30 08:45:03 EST 2004


At 11:34 AM 11/30/2004, Matt Kettler wrote:
>At 01:15 AM 11/30/2004, Sean Brown wrote:
>>While originally the post was
>>about reading it on Linux, I have only ever tried it on OpenBSD and it has
>>never worked for me, neither reading the log file nor attaching
>>to /dev/pflog0 and so I added that I do not believe it is working. In 
>>fact, I
>>just tried it again with a config I know that works and it still does not
>>work.
>
>Hmm.. from looking at the snort code, snort is using the old pf log header 
>format, not the current one..
>
>I'm not sure which version of OpenBSD changed the format, but there is a 
>new and an old format in OpenBSD 3.5's if_pflog.h. Snort's handling code 
>matches the old format.

Did a bit of digging. snort's pflog format matches the one used by OpenBSD 
3.3, but not 3.4 or newer

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.h

rev 1.7 was used in 3.3 and only has one pflog header format.

Rev 1.8 introduced the change.

It appears that the old format goes with bpf.h's datalink type DLT_OLD_PFLG 
(17), but the new one goes with DLT_PFLOG (117). Unfortunately, in OpenBSD 
3.3 the old format is DLT_PFLOG (17).

Probably need to do some weird ifdefs to properly patch snort to deal with 
both old and new systems. If DLT_OLD_PFLG isn't defined, it's the only 
pflog format, if it is, you can support both old and new.

Fun eh?






More information about the Snort-users mailing list