* Tobias Crefeld <[email protected]> [2011-11-14 17:13]: > Am Sun, 13 Nov 2011 09:51:05 -0600 > > However, when I upgraded to 4.9 and snort 2.9.1.x, I have noticed > > that snort appears to see packets that are dropped by pf when it > > listens on the interface directly (bge0). > snort's listening on interfaces just like tcpdump, wireshark, etc. > does. This means that it puts ethernet interfaces in promiscous mode
not necessarily promisc, doesn't make too much sense these days for the common setups anyway, but that's nitpicking. > and just reads all incoming and outgoing traffic and interprets it. > Of course it won't read outgoing traffic that pf drops before reaching > the interface(s) but anything else will get monitored by snort. while this is all correct, let me try to pahse it in a way that i think is clearer. the bpf hooks (aka where bpf grabs the packets) are "outside" pf, i. e. inbound packets hit pf before bpf and outgoing pf before bpf. that leaves cases where packets traverse the stack more than once (e. g. some encapsulations, some cases where pf makes changes to the packet) aside for clarity. and pflog is special insofar that it is "outgoing" only, except that it sends nowhere and "just" feeds bpf - and as you noted, only sees packets pf is explicitely told to send there. > I doubt that snort ever worked in another way. i can confirm that the bpf - pf order has always been like it is today. -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
