[Oisf-users] using suricata as IPS under openbsd

Shirkdog shirkdog at gmail.com
Tue Dec 3 21:28:19 UTC 2013


The divert function provides an IPS mechanism. For OpenBSD/FreeBSD,
using divert sockets will send the packet to the configured port,
where an IPS can evaluate the traffic and drop it. Otherwise, the
firewall will continue to process the packet. This requires you to
change your ruleset to "drop" instead of "alert".

What I do not know is whether using divert-to in pf and Snort will
function the same as it does on FreeBSD with ipfw and Snort
---
Michael Shirk


On Tue, Dec 3, 2013 at 10:31 AM, Victor Julien <lists at inliniac.net> wrote:
> On 12/02/2013 12:35 PM, C. L. Martinez wrote:
>> On Mon, Dec 2, 2013 at 8:17 AM, Victor Julien <lists at inliniac.net> wrote:
>>> > On 12/01/2013 12:33 PM, carlopmart wrote:
>>>> >> Hi all,
>>>> >>
>>>> >>  I am trying to install suricata as IPS under two OpenBSD carp'ed fws to
>>>> >> inspect http traffic only ...
>>>> >>
>>>> >>  Reviewing suricata docs, I have found how to do this using FreeBSD's
>>>> >> IPFW only.
>>>> >>
>>>> >>  My questions are:
>>>> >>
>>>> >>  - can I compile suricata under openbsd using "--enable-ipfw" option??
>>> >
>>> > As far as I know, no. OpenBSD uses pf, we support ipfw's divert sockets.
>>> >
>>> > It seems though that since 4.7 OpenBSD does have divert sockets in pf as
>>> > well. So *maybe* it will just work:
>>> >
>>> > http://blog.rootshell.be/2010/07/12/packet-inspection-using-divert-sockets/
>>> >
>>> > So, you can give it a try and let us know what the results are.
>>> >
>>>> >>  - To enable IPS mode under openbsd, this rule will be ok:
>>>> >>
>>>> >>     "pass in on $int_if inet proto tcp from $internal_net to
>>>> >> !<all_internal_nets> port http flags S/SA modulate state divert-to
>>>> >> 127.0.0.1 port 8000" ??
>>> >
>>> > There is an example rule in the link above.
>>> >
>> Thanks Victor. Then, could be possible to inject packets from openbsd
>> host using "divert-to" rule to a linux host running suricata, and
>> after suricata process these packets reinject them to openbsd fw??
>
> I don't know. If you give it a try, please let us know if/how it worked.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



More information about the Oisf-users mailing list