I'll send this upstream as well, but I'd prefer to patch the current port now so this diff doesn't get lost if I get distracted.
Index: Makefile =================================================================== RCS file: /cvs/ports/net/snort/Makefile,v retrieving revision 1.63 diff -u -p -r1.63 Makefile --- Makefile 16 Nov 2011 00:20:09 -0000 1.63 +++ Makefile 24 Mar 2012 02:30:03 -0000 @@ -9,7 +9,7 @@ COMMENT = highly flexible sniffer/NIDS # The following hack allows it to work but XXX if updating, the # MASTER_SITES URL will need to be adjusted, not just DISTNAME. DISTNAME = snort-2.8.6 -REVISION= 1 +REVISION= 2 MASTER_SITES = http://dl.snort.org/downloads/14?/ \ http://distfiles.nl/ --- /dev/null Sat Mar 24 11:40:28 2012 +++ patches/patch-src_decode_h Sat Mar 24 11:24:29 2012 @@ -0,0 +1,62 @@ +$OpenBSD$ +--- src/decode.h.orig Fri Mar 19 02:50:54 2010 ++++ src/decode.h Sat Mar 24 11:17:31 2012 +@@ -749,13 +749,14 @@ typedef struct _SLLHdr { + + + /* +- * Snort supports 3 versions of the OpenBSD pflog header: ++ * Snort supports 4 versions of the OpenBSD pflog header: + * + * Pflog1_Hdr: CVS = 1.3, DLT_OLD_PFLOG = 17, Length = 28 + * Pflog2_Hdr: CVS = 1.8, DLT_PFLOG = 117, Length = 48 + * Pflog3_Hdr: CVS = 1.12, DLT_PFLOG = 117, Length = 64 ++ * Pflog4_Hdr: CVS = 1.16, DLT_PFLOG = 117, Length = 100 + * +- * Since they have the same DLT, Pflog{2,3}Hdr are distinguished ++ * Since they have the same DLT, Pflog{2,3,4}Hdr are distinguished + * by their actual length. The minimum required length excludes + * padding. + */ +@@ -823,6 +824,33 @@ typedef struct _Pflog3_hdr + #define PFLOG3_HDRLEN (sizeof(struct _Pflog3_hdr)) + #define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN) + ++typedef struct _Pflog4_hdr ++{ ++ uint8_t length; ++ uint8_t af; ++ uint8_t action; ++ uint8_t reason; ++ char ifname[IFNAMSIZ]; ++ char ruleset[PFLOG_RULELEN]; ++ uint32_t rulenr; ++ uint32_t subrulenr; ++ uint32_t uid; ++ uint32_t pid; ++ uint32_t rule_uid; ++ uint32_t rule_pid; ++ uint8_t dir; ++ uint8_t rewritten; ++ uint8_t naf; ++ u_int8_t pad[1]; ++ uint8_t saddr[16]; ++ uint8_t daddr[16]; ++ uint16_t sport; ++ uint16_t dport; ++} Pflog4Hdr; ++ ++#define PFLOG4_HDRLEN (sizeof(struct _Pflog4_hdr)) ++#define PFLOG4_HDRMIN (PFLOG4_HDRLEN) /* no trailing padding */ ++ + /* + * ssl_pkttype values. + */ +@@ -1627,6 +1655,7 @@ typedef struct _Packet + Pflog1Hdr *pf1h; /* OpenBSD pflog interface header - version 1 */ + Pflog2Hdr *pf2h; /* OpenBSD pflog interface header - version 2 */ + Pflog3Hdr *pf3h; /* OpenBSD pflog interface header - version 3 */ ++ Pflog4Hdr *pf4h; /* OpenBSD pflog interface header - version 4 */ + + const SLLHdr *sllh; /* Linux cooked sockets header */ + const WifiHdr *wifih; /* wireless LAN header */ --- /dev/null Sat Mar 24 11:40:37 2012 +++ patches/patch-src_decode_c Sat Mar 24 11:24:22 2012 @@ -0,0 +1,52 @@ +$OpenBSD$ +--- src/decode.c.orig Fri Mar 19 02:50:54 2010 ++++ src/decode.c Sat Mar 24 11:23:57 2012 +@@ -2343,20 +2343,36 @@ void DecodePflog(Packet * p, const struct pcap_pkthdr + return; + } + /* lay the pf header structure over the packet data */ +- if ( *((uint8_t*)pkt) < PFLOG3_HDRMIN ) ++ switch(*((uint8_t*)pkt)) + { +- p->pf2h = (Pflog2Hdr*)pkt; +- pflen = p->pf2h->length; +- hlen = PFLOG2_HDRLEN; +- af = p->pf2h->af; ++ case PFLOG2_HDRMIN: ++ p->pf2h = (Pflog2Hdr*)pkt; ++ pflen = p->pf2h->length; ++ hlen = PFLOG2_HDRLEN; ++ af = p->pf2h->af; ++ break; ++ case PFLOG3_HDRMIN: ++ p->pf3h = (Pflog3Hdr*)pkt; ++ pflen = p->pf3h->length; ++ hlen = PFLOG3_HDRLEN; ++ af = p->pf3h->af; ++ break; ++ case PFLOG4_HDRMIN: ++ p->pf4h = (Pflog4Hdr*)pkt; ++ pflen = p->pf4h->length; ++ hlen = PFLOG4_HDRLEN; ++ af = p->pf4h->af; ++ break; ++ default: ++ if (ScLogVerbose()) ++ { ++ ErrorMessage("unrecognized pflog header length! " ++ "(%d)\n", *((uint8_t*)pkt)); ++ } ++ PREPROC_PROFILE_END(decodePerfStats); ++ return; + } +- else +- { +- p->pf3h = (Pflog3Hdr*)pkt; +- pflen = p->pf3h->length; +- hlen = PFLOG3_HDRLEN; +- af = p->pf3h->af; +- } ++ + /* now that we know a little more, do a little more validation */ + if(p->pkth->caplen < hlen) + {