On Fri, Sep 07, 2012 at 11:54:07AM -0400, Bentley, Dain wrote: > Hello Misc, > I've installed Snort on OpenBSD 4.9 from source and everything installed > fine. > When I configure the following rules I see alerts generated: > > # cat /etc/snort/snort.conf > include /etc/snort/rules/icmp.rules > > # cat /etc/snort/rules/icmp.rules > alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;) > > /usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf -l > /var/log/snort -i fxp1 > > So when I ping the outside interface I get the following in > /var/log/snort/alert > > [**] [1:477:3] ICMP Packet [**] > [Priority: 0] > 09/07-10:30:08.599075 xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx > ICMP TTL:113 TOS:0x20 ID:25441 IpLen:20 DgmLen:28 > Type:8 Code:0 ID:512 Seq:26063 ECHO > > So I now snort can see packets. Even though I have icmp blocked on the > outside interface it still logs it.
Why should snort not see them? snort sees packet which arrive at that interface. Packet filters handle packets later. > When download and load the snort rules from the snort site nothing happens. > The logfile sits empty. What do you expect? Do you have configured snort correctly? Are the rules you want to fire really enabled? > Has anyone successfully installed snort on openbsd and logged data? Of course. Running recent snort on -current. Recently I send an update of the snort port to ports@. Maybe you could help test it, so we have a more up-to-date snort version in 5.3. Regards, Markus
