Snort mailing list archives
Re: Snort dont understand pf (openbsd) format
From: kiko () async com br (Christian Robottom Reis)
Date: Wed, 1 Dec 2004 08:36:18 -0200
On Tue, Nov 30, 2004 at 08:11:59PM -0700, Sean Brown wrote:
Hmm.. from looking at the snort code, snort is using the old pf log header format, not the current one..I thought it might be but I'm not qualified to say. Any hope of getting a fix in by 2.3 or is it too late for that? Is it as simple as putting the structure for the new log in place of the old one?
Breno and I hacked a patch for this yesterday. It's a rather crude patch
because it doesn't deal with:
- The fact that you may not have a `modern' libpcap on your system
(one that when linked to tcpdump can read a modern pf log; that's
a simple enough test -- freebsd's pftcpdump does work).
- Backwards-compatibility to old pf logs
We'd love to see it go into 2.3.x, of course -- we're relying on a
patched version of Snort for now, and that's not comfortable.
Does anyone have an idea on how likely acceptance of this is? Deadline?
We could get a cleaned up patch, of course. It would be helpful if
someone with an older OpenBSD box could provide us with a sample log so
we can try and be backwards-compatible (the header format has changed
significantly -- for instance, the address family field is now no longer
a 32-bit integer, to ntohl shouldn't be used in DecodePflog).
Take care,
--
Christian Robottom Reis | http://async.com.br/~kiko/ | [+55 16] 3361 2331
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort dont understand pf (openbsd) format Breno Leitão (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
- Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
- Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 30)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 30)
- Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Nov 30)
- Re: Snort dont understand pf (openbsd) format Sean Brown (Nov 30)
- Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Dec 01)
- Re: Snort dont understand pf (openbsd) format Jeremy Hewlett (Dec 01)
- Re: Snort dont understand pf (openbsd) format Breno Leitão (Dec 02)
- snort patch to understand pflog (ond and new) Breno Leitão (Dec 03)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
- Re: Snort dont understand pf (openbsd) format Matt Kettler (Nov 29)
- Re: Snort dont understand pf (openbsd) format M. Shirk (Dec 01)
- Re: Snort dont understand pf (openbsd) format Christian Robottom Reis (Dec 01)