Hello Misc, I've installed Snort on OpenBSD 4.9 from source and everything installed fine. When I configure the following rules I see alerts generated:
# cat /etc/snort/snort.conf include /etc/snort/rules/icmp.rules # cat /etc/snort/rules/icmp.rules alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;) /usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf -l /var/log/snort -i fxp1 So when I ping the outside interface I get the following in /var/log/snort/alert [**] [1:477:3] ICMP Packet [**] [Priority: 0] 09/07-10:30:08.599075 xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx ICMP TTL:113 TOS:0x20 ID:25441 IpLen:20 DgmLen:28 Type:8 Code:0 ID:512 Seq:26063 ECHO So I now snort can see packets. Even though I have icmp blocked on the outside interface it still logs it. When download and load the snort rules from the snort site nothing happens. The logfile sits empty. Has anyone successfully installed snort on openbsd and logged data?
