[Oisf-users] using suricata as IPS under openbsd

Victor Julien lists at inliniac.net
Tue Dec 3 15:31:27 UTC 2013


On 12/02/2013 12:35 PM, C. L. Martinez wrote:
> On Mon, Dec 2, 2013 at 8:17 AM, Victor Julien <lists at inliniac.net> wrote:
>> > On 12/01/2013 12:33 PM, carlopmart wrote:
>>> >> Hi all,
>>> >>
>>> >>  I am trying to install suricata as IPS under two OpenBSD carp'ed fws to
>>> >> inspect http traffic only ...
>>> >>
>>> >>  Reviewing suricata docs, I have found how to do this using FreeBSD's
>>> >> IPFW only.
>>> >>
>>> >>  My questions are:
>>> >>
>>> >>  - can I compile suricata under openbsd using "--enable-ipfw" option??
>> >
>> > As far as I know, no. OpenBSD uses pf, we support ipfw's divert sockets.
>> >
>> > It seems though that since 4.7 OpenBSD does have divert sockets in pf as
>> > well. So *maybe* it will just work:
>> >
>> > http://blog.rootshell.be/2010/07/12/packet-inspection-using-divert-sockets/
>> >
>> > So, you can give it a try and let us know what the results are.
>> >
>>> >>  - To enable IPS mode under openbsd, this rule will be ok:
>>> >>
>>> >>     "pass in on $int_if inet proto tcp from $internal_net to
>>> >> !<all_internal_nets> port http flags S/SA modulate state divert-to
>>> >> 127.0.0.1 port 8000" ??
>> >
>> > There is an example rule in the link above.
>> >
> Thanks Victor. Then, could be possible to inject packets from openbsd
> host using "divert-to" rule to a linux host running suricata, and
> after suricata process these packets reinject them to openbsd fw??

I don't know. If you give it a try, please let us know if/how it worked.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list