[Snort-users] Snort dont understand pf (openbsd) format

Matt Kettler mkettler at ...4108...
Tue Nov 30 08:45:03 EST 2004

At 11:34 AM 11/30/2004, Matt Kettler wrote:
>At 01:15 AM 11/30/2004, Sean Brown wrote:
>>While originally the post was
>>about reading it on Linux, I have only ever tried it on OpenBSD and it has
>>never worked for me, neither reading the log file nor attaching
>>to /dev/pflog0 and so I added that I do not believe it is working. In 
>>fact, I
>>just tried it again with a config I know that works and it still does not
>Hmm.. from looking at the snort code, snort is using the old pf log header 
>format, not the current one..
>I'm not sure which version of OpenBSD changed the format, but there is a 
>new and an old format in OpenBSD 3.5's if_pflog.h. Snort's handling code 
>matches the old format.

Did a bit of digging. snort's pflog format matches the one used by OpenBSD 
3.3, but not 3.4 or newer


rev 1.7 was used in 3.3 and only has one pflog header format.

Rev 1.8 introduced the change.

It appears that the old format goes with bpf.h's datalink type DLT_OLD_PFLG 
(17), but the new one goes with DLT_PFLOG (117). Unfortunately, in OpenBSD 
3.3 the old format is DLT_PFLOG (17).

Probably need to do some weird ifdefs to properly patch snort to deal with 
both old and new systems. If DLT_OLD_PFLG isn't defined, it's the only 
pflog format, if it is, you can support both old and new.

Fun eh?

More information about the Snort-users mailing list