I have a question about running snort on openbsd 3.3 with pf and nat, and I have not got an answer back from the snort folks so I was hoping someone here might be able to give me guidance, here is the email below I sent to the snort list. So if anyone out there is running snort on their firewall I would appreciate the help I know this is not ideal and it really should be on a seperate box but this is on a home dsl link just so I can get experience with snort.
I have just come across some articles stating that if you are running snort on your firewall as I am and monitoring the external interface. It all is setup correctly but just because of the way PF acts if you drop it at the external firewall interface snort never see's the packet can someone confirm this. I have seen a number of articles and email stating that snort see's all traffic before it is ever filtered by PF and now have come across others that say the exact opposite. Can someone clear this up?
