Hi. I have a bridging IP-less firewall setup on an OpenBSD 3.4 machine. Interfaces txp0-2 are bridged together. Txp0 is external, txp2 is internal. Txp1 is unused at the moment. Fxp0 is a management interface with an IP so I can ssh to it, and so I can display acid's pages from the firewall. Having it all on one machine works fine for now.
The firewall works well. We're satisfied with it. We have verified that it is blocking nasty stuff and that there is no obstruction of traffic either way Snort logs to MySQL just fine on txp0 and I see plenty of fun statistics in ACID. Snort also will listen to pflog0 or I can feed it the pflog files from a time we are interested in seeing. That doesn't give us errors, but I don't see anything extra appear in ACID. Also the only sensor I see is txp0 and not pflog0 in the interface. When I go into the snort database with the mysql client and SELECT * from sensor; I get this: +-----+-------------------------------+-----------------------+ | sid | hostname | interface | +-----+-------------------------------+-----------------------+ | 1 | unknown:txp0 | txp0 | | 2 | unknown:pflog0 | pflog0 | | 3 | unknown:[reading from a file] | [reading from a file] | +-----+-------------------------------+-----------------------+ --------+--------+----------+----------+ filter | detail | encoding | last_cid | --------+--------+----------+----------+ NULL | 1 | 0 | 751 | NULL | 1 | 0 | 0 | NULL | 1 | 0 | 0 | --------+--------+----------+----------+ So, I did trigger something with snort. tcpdump -v -ttt -e -i pflog0 yields plenty of output. /var/log/pflog continues to grow. I looked in each table for any occurrence of a sid other than 1, and found none. Only entries corresponding to 1 or txp0: +------------------+ | Tables_in_snort | +------------------+ | acid_ag | | acid_ag_alert | | acid_event | | acid_ip_cache | | data | | detail | | encoding | | event | | icmphdr | | iphdr | | opt | | reference | | reference_system | | schema | | sensor | | sig_class | | sig_reference | | signature | | tcphdr | | udphdr | +------------------+ So I'm lost. I'm not sure what I should be looking for. Even when I run pflog with pass in and pass out on all interface, nothing makes it into the database. Any ideas? Thanks, Justin
