Olaf Schreck wrote: >> I'm novice with OpenBSD and , may be >> snort -i pflog0 >> a kind of bad practice? Or it known problem with OpenBSD 4.0 ? > > Won't work. Although pflog does create pcap style output, it is not > data that would make sense to snort. > > Use real interfaces for snort (eg rl0, fxp1, whatever). >
I do it, but external interface - bge0 ( GigabitEthernet ) and there are three universities (GigEth) and Internet link (10Mbit/s). I can't parse GE on the host (just two Xeon 2.4GHz) but I can select Internet traffic via pf and want parse it. I use pflog data "log (all)". Thanks! Alexander Zatserkovniy
