[Oisf-users] Suricata as IPS under OpenBSD
C.L. Martinez
carlopmart at gmail.com
Mon Dec 14 14:55:07 UTC 2015
On 12/10/2015 04:53 PM, Oliver Humpage wrote:
>
>> On 10 Dec 2015, at 16:34, C.L. Martinez <carlopmart at gmail.com> wrote:
>>
>>
>> Thanks Oliver. Suricata can be installed under OpenBSD without major issues. But it is not possible to use ipfw (it is only supported under FreeBSD) and divert option works differently in OpenBSD than it does in FreeBSD as you can see here: http://lteo.net/blog/2015/01/06/dissecting-openbsds-divert-4-part-1-introduction/
>
> "OpenBSD divert(4) is meant to be compatible with software running on
> top of FreeBSD's divert sockets"
>
> I really thought I’d had suricata running on OpenBSD + pf + divert-packet at some point during my testing. Maybe I’m misremembering.
>
> However, all the userspace switching of divert meant I’ve now moved to netmap on FreeBSD (and although FreeBSD does support CARP, I dread to think what would happen to carp on netmap-enabled interfaces - plus, in my time, I’ve seen far more crashes *caused* by carp than all other failures put together!).
>
> Oliver.
>
Ok,
Returning to this thread. I have installed a new OpenBSD 5.8 (fully
patched) virtual machine to test suricata as IPS.
I have compiled suricata with the following options without problems:
./configure --prefix=/opt/suricata --enable-gccprotect --enable-ipfw
--enable-luajit --enable-geoip
Result is:
root at obsdtest:~/docs# suricata --build-info
This is Suricata version 3.0RC2 RELEASE
Features: IPFW PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT
LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA
HAVE_LUAJIT HAVE_LIBJANSSON
SIMD support: SSE_3
Atomic intrisics: none
64-bits, Little-endian architecture
GCC version 4.2.1 20070719 , C version 199901
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
thread local storage method: pthread key
compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18
Suricata Configuration:
AF_PACKET support: no
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: yes
Netmap support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: no
Prelude support: no
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: no
Generic build parameters:
Installation prefix: /opt/suricata
Configuration directory: /opt/suricata/etc/suricata/
Log directory: /opt/suricata/var/log/suricata/
--prefix /opt/suricata
--sysconfdir /opt/suricata/etc
--localstatedir /opt/suricata/var
Host: x86_64-unknown-openbsd5.8
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: yes
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -D__OpenBSD__
-march=native
PCAP_CFLAGS
SECCFLAGS -fstack-protector
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
PF rules to test IPS this feature:
pass out on egress inet proto tcp all flags S/SA keep state (if-bound)
scrub (reassemble tcp) tagged intlans-to-inet divert-packet port 8000
pass out on egress inet proto icmp all keep state (if-bound) scrub
(reassemble tcp) tagged intlans-to-inet divert-packet port 8000
pass out on egress inet proto udp all keep state (if-bound) scrub
(reassemble tcp) tagged intlans-to-inet divert-packet port 8000
Rule used in this test:
drop tcp any any -> any any (msg:"Google is blocked";
content:"google.com"; http_header; nocase; classtype:policy-violation;
sid:1;)
And result is: nothing ... Connections established to Google are not
blocked ...
Am I doing something wrong or maybe IPS feature is not supported under
OpenBSD??
More information about the Oisf-users
mailing list