[Oisf-users] using suricata as IPS under openbsd
C. L. Martinez
carlopmart at gmail.com
Mon Dec 2 11:35:47 UTC 2013
On Mon, Dec 2, 2013 at 8:17 AM, Victor Julien <lists at inliniac.net> wrote:
> On 12/01/2013 12:33 PM, carlopmart wrote:
>> Hi all,
>>
>> I am trying to install suricata as IPS under two OpenBSD carp'ed fws to
>> inspect http traffic only ...
>>
>> Reviewing suricata docs, I have found how to do this using FreeBSD's
>> IPFW only.
>>
>> My questions are:
>>
>> - can I compile suricata under openbsd using "--enable-ipfw" option??
>
> As far as I know, no. OpenBSD uses pf, we support ipfw's divert sockets.
>
> It seems though that since 4.7 OpenBSD does have divert sockets in pf as
> well. So *maybe* it will just work:
>
> http://blog.rootshell.be/2010/07/12/packet-inspection-using-divert-sockets/
>
> So, you can give it a try and let us know what the results are.
>
>> - To enable IPS mode under openbsd, this rule will be ok:
>>
>> "pass in on $int_if inet proto tcp from $internal_net to
>> !<all_internal_nets> port http flags S/SA modulate state divert-to
>> 127.0.0.1 port 8000" ??
>
> There is an example rule in the link above.
>
Thanks Victor. Then, could be possible to inject packets from openbsd
host using "divert-to" rule to a linux host running suricata, and
after suricata process these packets reinject them to openbsd fw??
More information about the Oisf-users
mailing list