[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf question



odin_(_at_)_cleannorth_(_dot_)_org wrote:

although I try to block incoming spoofed packets with address
127.0.0.1/8 when i run snort on xl0 I get the following:

[**] [1:528:3] BAD TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]



snort uses a bpf interface. Last I recall, this was low-level enough that it happens before pf (ie it sees everything regardless of pf rules). I think that'd explain what you're seeing.

-Dan


That's what i thought at fisrt, but I can not find the packet in the logs either... (block return in log quick....)