[Snort-users] Snort/ipfw daq doesn't drop packets under OpenBSD

Driton Belushi dritonbelushi at ...11491...
Fri Apr 19 13:07:37 EDT 2013

Hi @snort-users,

I'm trying to run snort as an IPS under OpenBSD 5.3-current.
I see packets which are diverted by PF on snort and also at alert file.
But snort doesn't drop packets although it matches with rules; only logs to alert file.
I supply my config files and logs. Also i can send anything releated with this issue. 

Snort config

# cat /etc/rc.d/snort

# $OpenBSD: snort.rc,v 1.1 2012/10/11 02:40:48 lteo Exp $

daemon="/usr/local/bin/snort -D -Q -k none"
daemon_flags="-c /etc/snort/snort.conf -u root -g wheel -t /var/snort -l /var/snort/log"

. /etc/rc.d/rc.subr

rc_cmd $1

# cat /etc/snort/rules/custom.rules

drop icmp any any -> any any (msg:"ICMP Testing Rule"; sid:1000001; rev:1;)
drop tcp any any -> any 80 (msg:"TCP Testing Rule"; sid:1000002; rev:1;)

Alert file

# uname -a
OpenBSD snort.test.com 5.3 GENERIC.MP#127 i386

# snort --daq-dir /usr/local/lib/daq/ --daq-list
Available DAQ modules:
pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv

# snort -V

 ,,_ -*> Snort! <*-
 o" )~ Version GRE (Build 69)
 '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
 Copyright (C) 1998-2013 Sourcefire, Inc., et al.
 Using OpenBSD libpcap
 Using PCRE version: 8.32 2012-11-30
 Using ZLIB version: 1.2.3

Can anyone help with this issue please?

Best regards
Driton Belushi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130419/d002d462/attachment.html>

More information about the Snort-users mailing list