On 2006/12/06 22:18, Alexander Zatserkovniy wrote:
> Olaf Schreck wrote:
> >> I'm novice with OpenBSD and , may be
> >> snort -i pflog0
> >> a kind of bad practice? Or it known problem with OpenBSD 4.0 ?
> > 
> > Won't work.  Although pflog does create pcap style output, it is not 
> > data that would make sense to snort.

the rest of the packets are still there, just prepended by a pflog header
holding rule, interface, etc: see pflog(4). snort could be taught to strip
it off, just like tcpdump knows how to.

sys/net/if_pflog.h
usr.sbin/tcpdump/print-pflog.c 

> I do it, but external interface - bge0 ( GigabitEthernet ) and there are
> three universities (GigEth) and Internet link (10Mbit/s). I can't parse
> GE on the host (just two Xeon 2.4GHz) but I can select Internet traffic
> via pf and want parse it. I use pflog data "log (all)".

good idea, and with -current you can have multi pflog interfaces
which you might find useful too.

Reply via email to