I got it working fine. It's logging as expected. I have pf2snort installed and it seems to be working ok. I have portscans logging to portscan.log so I could just log the portscans to the alert file so snort2pf can see it I'll be super happy.
Regards, Dain Bentley -----Original Message----- From: Markus Lude [[email protected]] Received: Sunday, 09 Sep 2012, 9:52am To: [email protected] [[email protected]] Subject: Re: Snort not logging to alerts files On Fri, Sep 07, 2012 at 11:54:07AM -0400, Bentley, Dain wrote: > Hello Misc, > I've installed Snort on OpenBSD 4.9 from source and everything installed > fine. > When I configure the following rules I see alerts generated: > > # cat /etc/snort/snort.conf > include /etc/snort/rules/icmp.rules > > # cat /etc/snort/rules/icmp.rules > alert icmp any any -> any any (msg:"ICMP Packet"; sid:477; rev:3;) > > /usr/local/bin/snort --daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf -l > /var/log/snort -i fxp1 > > So when I ping the outside interface I get the following in > /var/log/snort/alert > > [**] [1:477:3] ICMP Packet [**] > [Priority: 0] > 09/07-10:30:08.599075 xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx > ICMP TTL:113 TOS:0x20 ID:25441 IpLen:20 DgmLen:28 > Type:8 Code:0 ID:512 Seq:26063 ECHO > > So I now snort can see packets. Even though I have icmp blocked on the > outside interface it still logs it. Why should snort not see them? snort sees packet which arrive at that interface. Packet filters handle packets later. > When download and load the snort rules from the snort site nothing happens. > The logfile sits empty. What do you expect? Do you have configured snort correctly? Are the rules you want to fire really enabled? > Has anyone successfully installed snort on openbsd and logged data? Of course. Running recent snort on -current. Recently I send an update of the snort port to ports@. Maybe you could help test it, so we have a more up-to-date snort version in 5.3. Regards, Markus
