The following are proof-of-concept ports of daq and Snort 22.214.171.124. daq is the new data acquisition library that is used by Snort 2.9.x to capture packets. These ports are very hackish and only meant to confirm that Snort can link and run with the new libpcap, so please exercise caution when using them. :)
Also, if anything breaks, please don't bug the current Snort port maintainer because it's not his fault. :) Send feedback and flames to lteo()openbsd.org instead.
mkdir -p /usr/ports/mystuff/net
cd /usr/ports/mystuff/net/daq && make install
cd /usr/ports/mystuff/net/snort && make install
ftp -o snortrules.tar.gz http://www.snort.org/sub-rules/snortrules-snapshot-2922.tar.gz/oinkcodeSnort rules from Emerging Threats should also work, but I have not tried.
(Replace oinkcode with yours)
/usr/local/bin/snort -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log
ftp http://lteo.net/cmd.exeThere is no cmd.exe at that URL but this should trigger the "WEB-IIS cmd.exe access" alert in /var/snort/log/alert
The above is just a suggested test method. It would definitely help too if you could test Snort the way you normally run it.