Re: [Snort-users] monitoring pflog0 on obsd

On 08 Oct 2003, MH wrote:
> When you monitor pflogd, you use tcpdump.
>
> tcpdump -ni pflog0
>
> You will see a warning about an ip address not being
> assigned, that's normal because there isn't. :)

He should be able to use anything that reads raw network
streams, which snort is capable of doing just like tcpdump.
Ultimately, I just think his snort is not seeing packets which
cause any alerts. There is no intrinsic connection between
OpenBSD's pf and snort, so just because the firewall drops a
packet doesn't mean snort will generate an alert.

--
Mark Nipper e-contacts:
Computing and Information Services nipsy@tamu.edu
Texas A&M University http://ops.tamu.edu/nipsy/
College Station, TX 77843-3142 AIM/Yahoo: texasnipsy ICQ: 66971617
(979)575-3193 MSN: nipsy@tamu.edu

-----BEGIN GEEK CODE BLOCK-----
GG/IT d- s++:+ a- C++$ UBL+++$ P--->+++ L+++$ E---
W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+
PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**)
------END GEEK CODE BLOCK------

---begin random quote of the moment---
"Never underestimate the bandwidth of a station wagon filled with
magtape, or a 747 filled with CD-ROMs."
-- from the Jargon File's definition of sneakernet
----end random quote of the moment----


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users