Here the result of some my investigation:
1) There is function DecodePflog in snort-2.4.5/src/decode.c and it
isn't actual for OpenBSD 4.0 pflog or it's just a mistake there.
2) In snort-2.4.5/src/decode.h describing pflog header struct isn't
actual for OpenBSD 4.0 pflog (just look at 'man pflog').
Patched version of snort works in the both forms :
snort -Dqp -c /etc/snort/snort.conf -i pflog0
and
snort -r /var/log/pflog
, but I'm not still test it very hard. Patch is attached.
Snort snap upto 1500 bytes from a IP-packet from
pflog0 (regulated by -P snort option). It looks like I don't need
pflogd at all for my needs (enaugh snort -i pflog0 ).
Thanks!
Alexander Zatserkovniy
Stuart Henderson wrote:
> On 2006/12/06 22:18, Alexander Zatserkovniy wrote:
>
>> Olaf Schreck wrote:
>>
>>>> I'm novice with OpenBSD and , may be
>>>> snort -i pflog0
>>>> a kind of bad practice? Or it known problem with OpenBSD 4.0 ?
>>>>
>>> Won't work. Although pflog does create pcap style output, it is not
>>> data that would make sense to snort.
>>>
>
> the rest of the packets are still there, just prepended by a pflog header
> holding rule, interface, etc: see pflog(4). snort could be taught to strip
> it off, just like tcpdump knows how to.
>
> sys/net/if_pflog.h
> usr.sbin/tcpdump/print-pflog.c
>
>
>> I do it, but external interface - bge0 ( GigabitEthernet ) and there are
>> three universities (GigEth) and Internet link (10Mbit/s). I can't parse
>> GE on the host (just two Xeon 2.4GHz) but I can select Internet traffic
>> via pf and want parse it. I use pflog data "log (all)".
>>
>
> good idea, and with -current you can have multi pflog interfaces
> which you might find useful too.
#diff -Naur snort-2.4.5/src/decode.c snort-2.4.5-patched/src/decode.c
--- src-orig/decode.c Sat Sep 17 08:06:35 2005
+++ src/decode.c Thu Dec 14 15:39:51 2006
@@ -1204,7 +1204,7 @@
p->pfh = (PflogHdr *) pkt;
/* get the network type - should only be AF_INET or AF_INET6 */
- switch(ntohs(p->pfh->af))
+ switch((unsigned short)p->pfh->af)
{
case AF_INET: /* IPv4 */
DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IP datagram size calculated
to be %lu "
#diff -Naur snort-2.4.5/src/decode.h snort-2.4.5-patched/src/decode.h
--- src-orig/decode.h Fri Sep 2 08:09:20 2005
+++ src/decode.h Thu Dec 14 15:37:29 2006
@@ -724,7 +724,7 @@
typedef struct _Pflog_hdr
{
- int8_t length;
+ u_int8_t length;
sa_family_t af;
u_int8_t action;
u_int8_t reason;
@@ -732,6 +732,10 @@
char ruleset[16];
u_int32_t rulenr;
u_int32_t subrulenr;
+ uid_t uid;
+ pid_t pid;
+ uid_t rule_uid;
+ pid_t rule_pid;
u_int8_t dir;
u_int8_t pad[3];
} PflogHdr;
