Hi!
I try OpenBSD 4.0 (i386 mp) as an IDS. The problem is:
snort -Dqp -c /etc/snort/snort.conf -i pflog0
don't recognize net traffic (It tell about unknown type net packages).
snort -r /var/log/pflog
don't recognize it too, but
tcpdump -r /var/log/pflog
,
tcpdump -pi pflog0
do it.
Follow the old mail lists (2004) I've set pflogd_flags='-s 1500',
but the situation isn't changed.
I'm novice with OpenBSD and , may be
snort -i pflog0
a kind of bad practice? Or it known problem with OpenBSD 4.0 ?
Is it a trick without overhead to put only selected traffic via userspace
snort?
Thanks!
Alexander Zatserkovniy
