c nerd blog — Snort2pf & Snort 2.9.3.1 on OpenBSD 5.2

dirt

I installed this before realising that barnyard 2 was too flakey to use. As it happens, this doesn’t work well under my configuration, or at least I couldn’t get it working properly.

First of all, snort2pf likes to read snort’s alert file. If barnyard2 sees that file, it ignores its own configuration and bombs.

But snort2pf has a couple of problems of its own. It’s written in perl, & perl complains snort2pf is insecure if I run it from an ordinary user account, but is quite happy if I run it as root. This is the opposite of what I’d expect—so much so that I rather suspect this is a configuration matter, not perl being silly.

But, more seriously, snort2pf appears awkward when snort and pf run on different computers, even thought that’s the recommended set up for snort. Yes, you can configure commands to execute for blocking and unblocking ports, but I could never get snort2pf to accept them: again, it decided using ssh was insecure.

However, I never completed configuring this utility, so it’s quite possible it’s just a little too fussy and I didn’t satisfy it’s fussiness. I’ve already decided to go down a different route to avoid barnyard 2.