# Snort & PF



## lemurid (Apr 2, 2010)

Tried searching the net, but got none. If we set up snort with the option External net = !HOME_NET will it automatically read pflog interface? Or you have to manually tell snort to read the pf log file? And as far as i understand... Snort is user land, pf is in kernel... But snort operates as a sniffer in promiscous mode. We have packets which come in. Will they ever reach snort if they have pf rules blocking them? Is there any point running snort on a firewall configured internet gateway?


----------



## SirDice (Apr 3, 2010)

lemurid said:
			
		

> We have packets which come in. Will they ever reach snort if they have pf rules blocking them? Is there any point running snort on a firewall configured internet gateway?


The packets would still arrive at the interface. You can still see them if you use tcpdump i.e. So snort won't have a problem too.


----------

