'Re: [Snort-users] Snort dont understand pf (openbsd) format'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [Snort-users] Snort dont understand pf (openbsd) format
From:       kiko () async ! com ! br (Christian Robottom Reis)
Date:       2004-11-30 18:18:21
Message-ID: 20041130181821.GO5665 () async ! com ! br
[Download RAW message or body]

On Tue, Nov 30, 2004 at 11:44:03AM -0500, Matt Kettler wrote:
> >I'm not sure which version of OpenBSD changed the format, but there is a 
> >new and an old format in OpenBSD 3.5's if_pflog.h. Snort's handling code 
> >matches the old format.
> 
> Did a bit of digging. snort's pflog format matches the one used by OpenBSD 
> 3.3, but not 3.4 or newer
> 
> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflog.h

Thanks Matt. I was almost sure there was a real issue there; we had
testing on OpenBSD before and I had seen the results.

> rev 1.7 was used in 3.3 and only has one pflog header format.
> 
> Rev 1.8 introduced the change.
> 
> It appears that the old format goes with bpf.h's datalink type DLT_OLD_PFLG 
> (17), but the new one goes with DLT_PFLOG (117). Unfortunately, in OpenBSD 
> 3.3 the old format is DLT_PFLOG (17).
> 
> Probably need to do some weird ifdefs to properly patch snort to deal with 
> both old and new systems. If DLT_OLD_PFLG isn't defined, it's the only 
> pflog format, if it is, you can support both old and new.

Okay, so either we get some diffs moving or we get the clients to
downgrade OpenBSD. Fun, fun.

Let's see if I can convince Breno to hack some snort code, and maybe we
will have some patches against head to get us going. It is certainly an
unexpected error, and I thought more people would have run into it, but
maybe not.

Take care,
--
Christian Robottom Reis | http://async.com.br/~kiko/ | [+55 16] 3361 2331


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic