Tried searching the net, but got none. If we set up snort with the option External net = !HOME_NET will it automatically read pflog interface? Or you have to manually tell snort to read the pf log file? And as far as i understand... Snort is user land, pf is in kernel... But snort operates as a sniffer in promiscous mode. We have packets which come in. Will they ever reach snort if they have pf rules blocking them? Is there any point running snort on a firewall configured internet gateway?
