[Oisf-users] Suricata as IPS under OpenBSD

C.L. Martinez carlopmart at gmail.com
Mon Dec 14 14:55:07 UTC 2015

On 12/10/2015 04:53 PM, Oliver Humpage wrote:
>> On 10 Dec 2015, at 16:34, C.L. Martinez <carlopmart at gmail.com> wrote:
>> Thanks Oliver. Suricata can be installed under OpenBSD without major issues. But it is not possible to use ipfw (it is only supported under FreeBSD) and divert option works differently in OpenBSD than it does in FreeBSD as you can see here: http://lteo.net/blog/2015/01/06/dissecting-openbsds-divert-4-part-1-introduction/
> "OpenBSD divert(4) is meant to be compatible with software running on
> top of FreeBSD's divert sockets"
> I really thought I’d had suricata running on OpenBSD + pf + divert-packet at some point during my testing. Maybe I’m misremembering.
> However, all the userspace switching of divert meant I’ve now moved to netmap on FreeBSD (and although FreeBSD does support CARP, I dread to think what would happen to carp on netmap-enabled interfaces - plus, in my time, I’ve seen far more crashes *caused* by carp than all other failures put together!).
> Oliver.


  Returning to this thread. I have installed a new OpenBSD 5.8 (fully 
patched) virtual machine to test suricata as IPS.

  I have compiled suricata with the following options without problems:

./configure --prefix=/opt/suricata --enable-gccprotect --enable-ipfw 
--enable-luajit --enable-geoip

Result is:

root at obsdtest:~/docs# suricata --build-info
This is Suricata version 3.0RC2 RELEASE
SIMD support: SSE_3
Atomic intrisics: none
64-bits, Little-endian architecture
GCC version 4.2.1 20070719 , C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: pthread key
compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18

Suricata Configuration:
   AF_PACKET support:                       no
   PF_RING support:                         no
   NFQueue support:                         no
   NFLOG support:                           no
   IPFW support:                            yes
   Netmap support:                          no
   DAG enabled:                             no
   Napatech enabled:                        no

   Unix socket enabled:                     yes
   Detection enabled:                       yes

   libnss support:                          yes
   libnspr support:                         yes
   libjansson support:                      yes
   hiredis support:                         no
   Prelude support:                         no
   PCRE jit:                                yes
   LUA support:                             yes, through luajit
   libluajit:                               yes
   libgeoip:                                yes
   Non-bundled htp:                         no
   Old barnyard2 support:                   no
   CUDA enabled:                            no

   Suricatasc install:                      no

   Unit tests enabled:                      no
   Debug output enabled:                    no
   Debug validation enabled:                no
   Profiling enabled:                       no
   Profiling locks enabled:                 no
   Coccinelle / spatch:                     no

Generic build parameters:
   Installation prefix:                     /opt/suricata
   Configuration directory:                 /opt/suricata/etc/suricata/
   Log directory:                           /opt/suricata/var/log/suricata/

   --prefix                                 /opt/suricata
   --sysconfdir                             /opt/suricata/etc
   --localstatedir                          /opt/suricata/var

   Host:                                    x86_64-unknown-openbsd5.8
   Compiler:                                gcc (exec name) / gcc (real)
   GCC Protect enabled:                     yes
   GCC march native enabled:                yes
   GCC Profile enabled:                     no
   Position Independent Executable enabled: no
   CFLAGS                                   -g -O2 -D__OpenBSD__ 
   SECCFLAGS                                -fstack-protector 
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

  PF rules to test IPS this feature:

pass out on egress inet proto tcp all flags S/SA keep state (if-bound) 
scrub (reassemble tcp) tagged intlans-to-inet divert-packet port 8000
pass out on egress inet proto icmp all keep state (if-bound) scrub 
(reassemble tcp) tagged intlans-to-inet divert-packet port 8000
pass out on egress inet proto udp all keep state (if-bound) scrub 
(reassemble tcp) tagged intlans-to-inet divert-packet port 8000

   Rule used in this test:

drop tcp any any -> any any (msg:"Google is blocked"; 
content:"google.com"; http_header; nocase; classtype:policy-violation; 

  And result is: nothing ... Connections established to Google are not 
blocked ...

  Am I doing something wrong or maybe IPS feature is not supported under 

More information about the Oisf-users mailing list