[Oisf-users] Suricata as IPS under OpenBSD

C.L. Martinez carlopmart at gmail.com
Mon Dec 14 14:59:03 UTC 2015 

On 12/14/2015 02:55 PM, C.L. Martinez wrote:
> On 12/10/2015 04:53 PM, Oliver Humpage wrote:
>>
>>> On 10 Dec 2015, at 16:34, C.L. Martinez <carlopmart at gmail.com> wrote:
>>>
>>>
>>> Thanks Oliver. Suricata can be installed under OpenBSD without major
>>> issues. But it is not possible to use ipfw (it is only supported
>>> under FreeBSD) and divert option works differently in OpenBSD than it
>>> does in FreeBSD as you can see here:
>>> http://lteo.net/blog/2015/01/06/dissecting-openbsds-divert-4-part-1-introduction/
>>>
>>
>> "OpenBSD divert(4) is meant to be compatible with software running on
>> top of FreeBSD's divert sockets"
>>
>> I really thought I’d had suricata running on OpenBSD + pf +
>> divert-packet at some point during my testing. Maybe I’m misremembering.
>>
>> However, all the userspace switching of divert meant I’ve now moved to
>> netmap on FreeBSD (and although FreeBSD does support CARP, I dread to
>> think what would happen to carp on netmap-enabled interfaces - plus,
>> in my time, I’ve seen far more crashes *caused* by carp than all other
>> failures put together!).
>>
>> Oliver.
>>
>
> Ok,
>
>   Returning to this thread. I have installed a new OpenBSD 5.8 (fully
> patched) virtual machine to test suricata as IPS.
>
>   I have compiled suricata with the following options without problems:
>
> ./configure --prefix=/opt/suricata --enable-gccprotect --enable-ipfw
> --enable-luajit --enable-geoip
>
> Result is:
>
>
> root at obsdtest:~/docs# suricata --build-info
> This is Suricata version 3.0RC2 RELEASE
> Features: IPFW PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT
> LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA
> HAVE_LUAJIT HAVE_LIBJANSSON
> SIMD support: SSE_3
> Atomic intrisics: none
> 64-bits, Little-endian architecture
> GCC version 4.2.1 20070719 , C version 199901
> compiled with _FORTIFY_SOURCE=2
> L1 cache line size (CLS)=64
> thread local storage method: pthread key
> compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18
>
> Suricata Configuration:
>    AF_PACKET support:                       no
>    PF_RING support:                         no
>    NFQueue support:                         no
>    NFLOG support:                           no
>    IPFW support:                            yes
>    Netmap support:                          no
>    DAG enabled:                             no
>    Napatech enabled:                        no
>
>    Unix socket enabled:                     yes
>    Detection enabled:                       yes
>
>    libnss support:                          yes
>    libnspr support:                         yes
>    libjansson support:                      yes
>    hiredis support:                         no
>    Prelude support:                         no
>    PCRE jit:                                yes
>    LUA support:                             yes, through luajit
>    libluajit:                               yes
>    libgeoip:                                yes
>    Non-bundled htp:                         no
>    Old barnyard2 support:                   no
>    CUDA enabled:                            no
>
>    Suricatasc install:                      no
>
>    Unit tests enabled:                      no
>    Debug output enabled:                    no
>    Debug validation enabled:                no
>    Profiling enabled:                       no
>    Profiling locks enabled:                 no
>    Coccinelle / spatch:                     no
>
> Generic build parameters:
>    Installation prefix:                     /opt/suricata
>    Configuration directory:                 /opt/suricata/etc/suricata/
>    Log directory:                           /opt/suricata/var/log/suricata/
>
>    --prefix                                 /opt/suricata
>    --sysconfdir                             /opt/suricata/etc
>    --localstatedir                          /opt/suricata/var
>
>    Host:                                    x86_64-unknown-openbsd5.8
>    Compiler:                                gcc (exec name) / gcc (real)
>    GCC Protect enabled:                     yes
>    GCC march native enabled:                yes
>    GCC Profile enabled:                     no
>    Position Independent Executable enabled: no
>    CFLAGS                                   -g -O2 -D__OpenBSD__
> -march=native
>    PCAP_CFLAGS
>    SECCFLAGS                                -fstack-protector
> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
>
>   PF rules to test IPS this feature:
>
> pass out on egress inet proto tcp all flags S/SA keep state (if-bound)
> scrub (reassemble tcp) tagged intlans-to-inet divert-packet port 8000
> pass out on egress inet proto icmp all keep state (if-bound) scrub
> (reassemble tcp) tagged intlans-to-inet divert-packet port 8000
> pass out on egress inet proto udp all keep state (if-bound) scrub
> (reassemble tcp) tagged intlans-to-inet divert-packet port 8000
>
>    Rule used in this test:
>
> drop tcp any any -> any any (msg:"Google is blocked";
> content:"google.com"; http_header; nocase; classtype:policy-violation;
> sid:1;)
>
>   And result is: nothing ... Connections established to Google are not
> blocked ...
>
>   Am I doing something wrong or maybe IPS feature is not supported under
> OpenBSD??


Sorry, suricata startup options:

suricata -c suricata.yaml -d 8000

And log:

14/12/2015 -- 14:49:02 - <Notice> - This is Suricata version 3.0RC2 RELEASE
14/12/2015 -- 14:49:03 - <Notice> - all 3 packet processing threads, 4 
management threads initialized, engine started.

More information about the Oisf-users mailing list