Re: [Snort-users] monitoring pflog0 on obsd

This is a discussion on Re: [Snort-users] monitoring pflog0 on obsd within the Snort forums, part of the System Security and Security Related category; Hi Shawn, One thing to point out is that pflogd has a snaplen of 96 by default. You are not ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page Re: [Snort-users] monitoring pflog0 on obsd

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 10-09-2003
MH
 
Posts: n/a
Default Re: [Snort-users] monitoring pflog0 on obsd
Hi Shawn,

One thing to point out is that pflogd has a snaplen of
96 by default. You are not capturing enough of the packet
to trip your snort rules. Reset pflogd to a snaplen of 1500.

Hope this helps,
Mike

On Wed, Oct 08, 2003 at 03:41:31PM -0700, Shawn Posthumus wrote:
>
> --- MH <procana@insight.rr.com> wrote:
> > Hi Shawn,
> >
> > When you monitor pflogd, you use tcpdump.
> >
> > tcpdump -ni pflog0
> >
> > You will see a warning about an ip address not being
> > assigned, that's normal because there isn't. :)
> >
> > Hope this helps,
> > Mike
> >
> >
>
> I realize this. But the snort faq states the following:
>
> >>>In general it sees everything the network adapter driver sees before the
> >>>network stack munges it. Linux IPTables, Linux IPChains, BSD PF and IPF and
> >>>other packet filters do not prevent snort from seeing a packet that is
> >>>present on the network wire.
> >>>Even if an inbound packet is denied by the packet filter Snort will still
> see >>>and analyze the packet if it is listening to that interface. Snort/pcap
> sees >>>whatever comes out of or goes into the network adapter.
> >>>...
> >>>...
> >>>Under OpenBSD you can snort just the PF rejects by using the /dev/pflogN
> >>>interface.
> >>>
>
> In this case I should be able to pick up the attacks pf dropped by snort. From
> a remote box I ran port scans and simple web based attacks that I knew snort is
> configured for, but its not alerting, while tcpdump -netttr /var/log/pflog
> shows everything.
>
> I am now currently trying snort on my $ext_if, since the above section on faq
> says that if snort and firewall are on same machine, it can pick up any packet
> on the wire before pf takes action.
>
> Shawn
>
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 12:56 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0