[Snortsam-discussion] some small ssp_pf2 enhancements

Frank Knobbe frank at snortsam.net
Fri Oct 9 23:11:59 EDT 2009 

On Fri, 2009-10-09 at 19:10 +0200, Olli Hauer wrote:
> > Earlier this year I used ssp_pf and hacked that in shape to get it to
> > work on FBSD 7.2 since the ssp_pf2 didn't work for me. I think the old
> > method should indeed be abandoned and the newer version used. I just
> > wasn't able to figure out why ssp_pf2 didn't work, so I made ssp_pf
> > work. If ssp_pf2 works for everyone, I'll leave it as it is and add your
> > changes. 
> 
> Do you remember some details?
>  - installed from soure/port ...
>  - pf load as module or build in kernel
>  - tables not working

Snortsam was installed from CVS (as I always do). I'm not sure how pf2
was loaded, but my guess would be as a module since I don't think those
folks rolled a custom kernel. (I'm reasonable sure that uname -a was
GENERIC, nothing custom).

The problem was the tables. Even though the anchor and tables were
created per Olaf's document, Snortsam never inserted the IPs. I assumed
there was something wrong with the ioctl's and tried the older pf
version, which after a bit of massaging, worked just fine.

> this will result at the moment into this default values
> - anchor=snortsam, tables=blockin,blockout
> 
> Now lets say the user configures the following line
> 2) pf2 table=block log=0
> 
> this will result in
> - anchor=snortsam, tables=block_in,block_out

heh... I wonder if that was my problem :)

Yeah, the _ should be removed to keep it consistent.

> I will write an additional README.pf2, but first I want to add some syslog code which works on all *BSD's

I have a submission for syslog (thanks to Jeffry). I just never got
around to implement it yet. The main reason is that I wanted to add code
around it to have it log to EventLog when on Windows, and call syslog()
on non-Windows machines. Over the last two years I have been pretty busy
with work, and neglected the Snortsam community a bit. (Thanks to Matt
and other ET folks to keep Snortsam afloat during the last year). But
soon I'll be able to put a bit more time into it... at least as far as
submissions and few new features is concerned, and of course an updated
Snort plugin, barnyard1 plugin, barnyard2 plugin....

Historically, most changes to Snortsam always seemed to happen in
December. I'm sure that will hold true this year :)

Cheers,
Frank

More information about the Snortsam-discussion mailing list