IIRC Snort, tcpdump etc use the BPF interface, which COPIES the matching packets into buffers supplied by the application.
PF (presumably) is "behind" the BPF interface in the order it gets the packets, so even when blocking all packets in PF, snort/tcpdump etc. still get to see a COPY of the packet first. The important bit is that the applications are only seeing copies of the packets, whereas PF has access to the original packet in kernel memory - so can modify or even delete the packet before it gets processed by the kernel. e.g. the order is: 1) Physical driver copies packet from the wire into kernel memory 2) BPF copies the packet into the application memory 3) PF plays with the packet or even deletes it totally. 4) the kernel then (if not deleted) routes etc. the packet. This my blurry view of how things happen. Dom Dom - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Tel. 07855 805 271 http://www.devitto.com mailto:[EMAIL PROTECTED] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 13, 2003 6:44 PM To: [EMAIL PROTECTED] Subject: PF and Snort Working together I have a question about running snort on openbsd 3.3 with pf and nat, and I have not got an answer back from the snort folks so I was hoping someone here might be able to give me guidance, here is the email below I sent to the snort list. So if anyone out there is running snort on their firewall I would appreciate the help I know this is not ideal and it really should be on a seperate box but this is on a home dsl link just so I can get experience with snort. I have just come across some articles stating that if you are running snort on your firewall as I am and monitoring the external interface. It all is setup correctly but just because of the way PF acts if you drop it at the external firewall interface snort never see's the packet can someone confirm this. I have seen a number of articles and email stating that snort see's all traffic before it is ever filtered by PF and now have come across others that say the exact opposite. Can someone clear this up?
