[Oisf-users] using suricata as IPS under openbsd
Victor Julien
lists at inliniac.net
Mon Dec 2 08:17:24 UTC 2013
On 12/01/2013 12:33 PM, carlopmart wrote:
> Hi all,
>
> I am trying to install suricata as IPS under two OpenBSD carp'ed fws to
> inspect http traffic only ...
>
> Reviewing suricata docs, I have found how to do this using FreeBSD's
> IPFW only.
>
> My questions are:
>
> - can I compile suricata under openbsd using "--enable-ipfw" option??
As far as I know, no. OpenBSD uses pf, we support ipfw's divert sockets.
It seems though that since 4.7 OpenBSD does have divert sockets in pf as
well. So *maybe* it will just work:
http://blog.rootshell.be/2010/07/12/packet-inspection-using-divert-sockets/
So, you can give it a try and let us know what the results are.
> - To enable IPS mode under openbsd, this rule will be ok:
>
> "pass in on $int_if inet proto tcp from $internal_net to
> !<all_internal_nets> port http flags S/SA modulate state divert-to
> 127.0.0.1 port 8000" ??
There is an example rule in the link above.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list