[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Snort with PPoE and PF

To: "'ports@openbsd.org'" <ports@openbsd.org>
Subject: Snort with PPoE and PF
From: Rodolphe ORTALO <rortalo@axians.com>
Date: Wed, 20 Nov 2002 13:25:08 +0100

Hello,

I've just set up snort on an OpenBSD 3.0
box previously doing PPPoE (ADSL) with
NAT and firewalling.

I'm wondering if snort, that I started with:
# snort -i tun0 -I -c ./snort-nr.conf
(from /usr/local/share/examples/snort/)
was seeing *all* the traffic coming from
the ADSL line via tun0 or *only* the traffic
allowed by the PF firewall?

snort has been here for a while without any alerts
and I'm just wondering... (I think it really runs
;-) as it reported some false alerts from DNS servers
in my initial try/config attempts.)

I'd guess for the second case, especially as we also
started some external scans and my pflog0 shows things...

If snort gets its packets after the pf firewall has
filtered things, my next question would be: how can
I have give snort access to the unfiltered traffic?
(our pf.conf is very restrictive, and I don't want
to change that... :-)

Thanks in advance,

Rodolphe

Follow-Ups:
- Re: Snort with PPoE and PF
  - From: Daniel Hartmeier <daniel@benzedrine.cx>

Prev by Date: Noseks raporu sllpn
Next by Date: KDE on sparc64
Prev by thread: Noseks raporu sllpn
Next by thread: Re: Snort with PPoE and PF
Index(es):
- Date
- Thread