[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bridging, pf, snort, acid, MySQL. Can't get pflog data to show up in ACID

> Hi.
> I have a bridging IP-less firewall setup on an OpenBSD 3.4 machine.
> Interfaces txp0-2 are bridged together.  Txp0 is external, txp2 is
> internal.  Txp1 is unused at the moment.  Fxp0 is a management interface
> with an IP so I can ssh to it, and so I can display acid's pages from
> the firewall.  Having it all on one machine works fine for now.
So you basicall have internet--txp0*[fw]*txp2--internal
> Snort logs to MySQL just fine on txp0 and I see plenty of fun statistics
So you're watching the external side. If you are doing all the filtering
on txp0 you may wish to run Snort on txp2 in order to see just the
traffic that gets through to the internal side.
> in ACID.  Snort also will listen to pflog0 or I can feed it the pflog
> files from a time we are interested in seeing.  That doesn't give us
Default snaplen of pflog is 96 bytes BTW.
> errors, but I don't see anything extra appear in ACID.  Also the only
What do you mean, extra? Are you referring to payloads? If so, see above
comment about snaplen.
> sensor I see is txp0 and not pflog0 in the interface.  When I go into
You have one sensor, two interfaces.
> So I'm lost.  I'm not sure what I should be looking for.  Even when I
> run pflog with pass in and pass out on all interface, nothing makes it
> into the database.  Any ideas?   
The reason why depends on how you are running Snort on pflog. Command
used and relevant snort.conf configuration would be necessary info. Are
you using Barnyard? Anyways, this is getting pretty off-topic for pf.