Thank you very much and I thought that is how it should work but it doesn't work that way for me, it seems if I create a rule to let a specific packet through the firewall then snort see's it if I block it. Then it never gets logged by snort. So I am totally confused and pulling out my hair. I have posted my snort configs to the snort list and no one see's anything wrong with it.
HMMMMMMMMMM Am I the only one that strange things like this happen to LOL. > IIRC Snort, tcpdump etc use the BPF interface, which COPIES the > matching packets into buffers supplied by the application. > > PF (presumably) is "behind" the BPF interface in the order it gets > the packets, so even when blocking all packets in PF, snort/tcpdump > etc. still get to see a COPY of the packet first. > > The important bit is that the applications are only seeing copies > of the packets, whereas PF has access to the original packet in > kernel memory - so can modify or even delete the packet before it > gets processed by the kernel. > > e.g. the order is: > > 1) Physical driver copies packet from the wire into kernel memory > 2) BPF copies the packet into the application memory > 3) PF plays with the packet or even deletes it totally. > 4) the kernel then (if not deleted) routes etc. the packet. > > This my blurry view of how things happen. > > Dom > > > > Dom > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Dom De Vitto Tel. 07855 805 271 > http://www.devitto.com mailto:[EMAIL PROTECTED] > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, October 13, 2003 6:44 PM > To: [EMAIL PROTECTED] > Subject: PF and Snort Working together > > I have a question about running snort on openbsd 3.3 with pf and nat, and > I > have not got an answer back from the snort folks so I was hoping someone > here might be able to give me guidance, here is the email below I sent to > the snort list. So if anyone out there is running snort on their firewall > I > would appreciate the help I know this is not ideal and it really should be > on a seperate box but this is on a home dsl link just so I can get > experience with snort. > > I have just come across some articles stating that if you are running > snort > on your firewall as I am and monitoring the external interface. It all is > setup correctly but just because of the way PF acts if you drop it at the > external firewall interface snort never see's the packet can someone > confirm > this. I have seen a number of articles and email stating that snort see's > all traffic before it is ever filtered by PF and now have come across > others > that say the exact opposite. > > Can someone clear this up? > > >
