On 2006/12/06 22:18, Alexander Zatserkovniy wrote: > Olaf Schreck wrote: > >> I'm novice with OpenBSD and , may be > >> snort -i pflog0 > >> a kind of bad practice? Or it known problem with OpenBSD 4.0 ? > > > > Won't work. Although pflog does create pcap style output, it is not > > data that would make sense to snort.
the rest of the packets are still there, just prepended by a pflog header holding rule, interface, etc: see pflog(4). snort could be taught to strip it off, just like tcpdump knows how to. sys/net/if_pflog.h usr.sbin/tcpdump/print-pflog.c > I do it, but external interface - bge0 ( GigabitEthernet ) and there are > three universities (GigEth) and Internet link (10Mbit/s). I can't parse > GE on the host (just two Xeon 2.4GHz) but I can select Internet traffic > via pf and want parse it. I use pflog data "log (all)". good idea, and with -current you can have multi pflog interfaces which you might find useful too.