From owner-freebsd-security  Tue Feb 13 22:16:58 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id B097437B491
	for <freebsd-security@freebsd.org>; Tue, 13 Feb 2001 22:16:56 -0800 (PST)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Tue, 13 Feb 2001 22:14:58 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1E6GdO57792;
	Tue, 13 Feb 2001 22:16:39 -0800 (PST)
	(envelope-from cjc)
Date: Tue, 13 Feb 2001 22:16:28 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Michael Lea <mlea@atomicbluebear.org>
Cc: "H. Wade Minter" <minter@lunenburg.org>,
	Nick Rogness <nick@rogness.net>, freebsd-security@FreeBSD.ORG
Subject: Re: Getting more information from ipfw logs
Message-ID: <20010213221628.O62368@rfx-216-196-73-168.users.reflex>
Reply-To: cjclark@alum.mit.edu
References: <Pine.BSF.4.21.0102131128580.92630-100000@cody.jharris.com> <Pine.BSF.4.32.0102131238170.70172-100000@ashburn.skiltech.com> <20010213155515.C71046@core.atomicbluebear.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010213155515.C71046@core.atomicbluebear.org>; from mlea@atomicbluebear.org on Tue, Feb 13, 2001 at 03:55:17PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Feb 13, 2001 at 03:55:17PM -0600, Michael Lea wrote:
> On Tue, 13 Feb 2001, H. Wade Minter wrote:
> 
> > Does snort work well with ipfw.  Maybe I'm thinking of it wrong, but
> > wouldn't I have to let the traffic into the firewall so snort could deal
> > with it?
> 
> Snort runs in promiscuous mode. That means that, if you're running it on the
> same box as ipfw, snort will see the packets regardless of whether ipfw
> passes them through to the rest of the IP stack or not.

It actually has nothing to do with permiscuous mode. The BPF device
lives very low in the IP stack, before ipfw(8). Anything that uses
bfp(4) to access the network is not subject to ipfw(8) rules.

But back to the original questions, I made some patches to do more
verbose logging of packets within ipfw(8). It deliberately does not go
down into the application data, but gives more information about IP
ID, fragments, TCP sequence/ack numbers, etc. You can do a search of
the mail archive or email me if you are interested and can't find
them.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message