[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bridging, pf, snort, acid, MySQL. Can't get pflog data to show up inACID

I have a bridging IP-less firewall setup on an OpenBSD 3.4 machine.
Interfaces txp0-2 are bridged together.  Txp0 is external, txp2 is
internal.  Txp1 is unused at the moment.  Fxp0 is a management interface
with an IP so I can ssh to it, and so I can display acid's pages from
the firewall.  Having it all on one machine works fine for now.
The firewall works well.  We're satisfied with it.  We have verified
that it is blocking nasty stuff and that there is no obstruction of
traffic either way
Snort logs to MySQL just fine on txp0 and I see plenty of fun statistics
in ACID.  Snort also will listen to pflog0 or I can feed it the pflog
files from a time we are interested in seeing.  That doesn't give us
errors, but I don't see anything extra appear in ACID.  Also the only
sensor I see is txp0 and not pflog0 in the interface.  When I go into
the snort database with the mysql client and SELECT * from sensor;  I
get this:
| sid | hostname                      | interface             |+-----+-------------------------------+-----------------------+
|   1 | unknown:txp0                  | txp0                  ||   2 | unknown:pflog0                | pflog0                ||   3 | unknown:[reading from a file] | [reading from a file] |+-----+-------------------------------+-----------------------+
 filter | detail | encoding | last_cid |--------+--------+----------+----------+
 NULL   |      1 |        0 |      751 | NULL   |      1 |        0 |        0 | NULL   |      1 |        0 |        0 |--------+--------+----------+----------+
So, I did trigger something with snort.  tcpdump -v -ttt -e -i pflog0
yields plenty of output.  /var/log/pflog continues to grow.  I looked in
each table for any occurrence of a sid other than 1, and found none.
Only entries corresponding to 1 or txp0:
| Tables_in_snort  |+------------------+
| acid_ag          || acid_ag_alert    || acid_event       || acid_ip_cache    || data             || detail           || encoding         || event            || icmphdr          || iphdr            || opt              || reference        || reference_system || schema           || sensor           || sig_class        || sig_reference    || signature        || tcphdr           || udphdr           |+------------------+
So I'm lost.  I'm not sure what I should be looking for.  Even when I
run pflog with pass in and pass out on all interface, nothing makes it
into the database.  Any ideas?