Am Sun, 13 Nov 2011 09:51:05 -0600 schrieb "Ted Wynnychenko" <[email protected]>:
> With 4.5, I had snort listening to pflog0, because I understood that > listening to the interface directly (e.g. "bge0") would not work > since any packets dropped by pf would not be seen by snort. pflog0 only shows the packets that pf is told to log (e.g. in pf.conf: "pass out log inet proto icmp all icmp-type echoreq"). > However, when I upgraded to 4.9 and snort 2.9.1.x, I have noticed > that snort appears to see packets that are dropped by pf when it > listens on the interface directly (bge0). snort's listening on interfaces just like tcpdump, wireshark, etc. does. This means that it puts ethernet interfaces in promiscous mode and just reads all incoming and outgoing traffic and interprets it. Of course it won't read outgoing traffic that pf drops before reaching the interface(s) but anything else will get monitored by snort. I doubt that snort ever worked in another way. RU, Tobias.
