Date: Tue, 13 Feb 2001 22:16:28 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Michael Lea <mlea@atomicbluebear.org> Cc: "H. Wade Minter" <minter@lunenburg.org>, Nick Rogness <nick@rogness.net>, freebsd-security@FreeBSD.ORG Subject: Re: Getting more information from ipfw logs Message-ID: <20010213221628.O62368@rfx-216-196-73-168.users.reflex> In-Reply-To: <20010213155515.C71046@core.atomicbluebear.org>; from mlea@atomicbluebear.org on Tue, Feb 13, 2001 at 03:55:17PM -0600 References: <Pine.BSF.4.21.0102131128580.92630-100000@cody.jharris.com> <Pine.BSF.4.32.0102131238170.70172-100000@ashburn.skiltech.com> <20010213155515.C71046@core.atomicbluebear.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Feb 13, 2001 at 03:55:17PM -0600, Michael Lea wrote: > On Tue, 13 Feb 2001, H. Wade Minter wrote: > > > Does snort work well with ipfw. Maybe I'm thinking of it wrong, but > > wouldn't I have to let the traffic into the firewall so snort could deal > > with it? > > Snort runs in promiscuous mode. That means that, if you're running it on the > same box as ipfw, snort will see the packets regardless of whether ipfw > passes them through to the rest of the IP stack or not. It actually has nothing to do with permiscuous mode. The BPF device lives very low in the IP stack, before ipfw(8). Anything that uses bfp(4) to access the network is not subject to ipfw(8) rules. But back to the original questions, I made some patches to do more verbose logging of packets within ipfw(8). It deliberately does not go down into the application data, but gives more information about IP ID, fragments, TCP sequence/ack numbers, etc. You can do a search of the mail archive or email me if you are interested and can't find them. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010213221628.O62368>