[Oisf-users] Suricata as IPS under OpenBSD
Victor Julien
lists at inliniac.net
Mon Dec 14 15:08:11 UTC 2015
On 14-12-15 15:59, C.L. Martinez wrote:
> On 12/14/2015 02:55 PM, C.L. Martinez wrote:
>> On 12/10/2015 04:53 PM, Oliver Humpage wrote:
>>>
>>>> On 10 Dec 2015, at 16:34, C.L. Martinez <carlopmart at gmail.com> wrote:
>>>>
>>>>
>>>> Thanks Oliver. Suricata can be installed under OpenBSD without major
>>>> issues. But it is not possible to use ipfw (it is only supported
>>>> under FreeBSD) and divert option works differently in OpenBSD than it
>>>> does in FreeBSD as you can see here:
>>>> http://lteo.net/blog/2015/01/06/dissecting-openbsds-divert-4-part-1-introduction/
>>>>
>>>>
>>>
>>> "OpenBSD divert(4) is meant to be compatible with software running on
>>> top of FreeBSD's divert sockets"
>>>
>>> I really thought I’d had suricata running on OpenBSD + pf +
>>> divert-packet at some point during my testing. Maybe I’m misremembering.
>>>
>>> However, all the userspace switching of divert meant I’ve now moved to
>>> netmap on FreeBSD (and although FreeBSD does support CARP, I dread to
>>> think what would happen to carp on netmap-enabled interfaces - plus,
>>> in my time, I’ve seen far more crashes *caused* by carp than all other
>>> failures put together!).
>>>
>>> Oliver.
>>>
>>
>> Ok,
>>
>> Returning to this thread. I have installed a new OpenBSD 5.8 (fully
>> patched) virtual machine to test suricata as IPS.
>>
>> I have compiled suricata with the following options without problems:
>>
>> ./configure --prefix=/opt/suricata --enable-gccprotect --enable-ipfw
>> --enable-luajit --enable-geoip
>>
>> Result is:
>>
>>
>> root at obsdtest:~/docs# suricata --build-info
>> This is Suricata version 3.0RC2 RELEASE
>> Features: IPFW PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT
>> LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA
>> HAVE_LUAJIT HAVE_LIBJANSSON
>> SIMD support: SSE_3
>> Atomic intrisics: none
>> 64-bits, Little-endian architecture
>> GCC version 4.2.1 20070719 , C version 199901
>> compiled with _FORTIFY_SOURCE=2
>> L1 cache line size (CLS)=64
>> thread local storage method: pthread key
>> compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18
>>
>> Suricata Configuration:
>> AF_PACKET support: no
>> PF_RING support: no
>> NFQueue support: no
>> NFLOG support: no
>> IPFW support: yes
>> Netmap support: no
>> DAG enabled: no
>> Napatech enabled: no
>>
>> Unix socket enabled: yes
>> Detection enabled: yes
>>
>> libnss support: yes
>> libnspr support: yes
>> libjansson support: yes
>> hiredis support: no
>> Prelude support: no
>> PCRE jit: yes
>> LUA support: yes, through luajit
>> libluajit: yes
>> libgeoip: yes
>> Non-bundled htp: no
>> Old barnyard2 support: no
>> CUDA enabled: no
>>
>> Suricatasc install: no
>>
>> Unit tests enabled: no
>> Debug output enabled: no
>> Debug validation enabled: no
>> Profiling enabled: no
>> Profiling locks enabled: no
>> Coccinelle / spatch: no
>>
>> Generic build parameters:
>> Installation prefix: /opt/suricata
>> Configuration directory: /opt/suricata/etc/suricata/
>> Log directory:
>> /opt/suricata/var/log/suricata/
>>
>> --prefix /opt/suricata
>> --sysconfdir /opt/suricata/etc
>> --localstatedir /opt/suricata/var
>>
>> Host: x86_64-unknown-openbsd5.8
>> Compiler: gcc (exec name) / gcc (real)
>> GCC Protect enabled: yes
>> GCC march native enabled: yes
>> GCC Profile enabled: no
>> Position Independent Executable enabled: no
>> CFLAGS -g -O2 -D__OpenBSD__
>> -march=native
>> PCAP_CFLAGS
>> SECCFLAGS -fstack-protector
>> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
>>
>> PF rules to test IPS this feature:
>>
>> pass out on egress inet proto tcp all flags S/SA keep state (if-bound)
>> scrub (reassemble tcp) tagged intlans-to-inet divert-packet port 8000
>> pass out on egress inet proto icmp all keep state (if-bound) scrub
>> (reassemble tcp) tagged intlans-to-inet divert-packet port 8000
>> pass out on egress inet proto udp all keep state (if-bound) scrub
>> (reassemble tcp) tagged intlans-to-inet divert-packet port 8000
>>
>> Rule used in this test:
>>
>> drop tcp any any -> any any (msg:"Google is blocked";
>> content:"google.com"; http_header; nocase; classtype:policy-violation;
>> sid:1;)
>>
>> And result is: nothing ... Connections established to Google are not
>> blocked ...
>>
>> Am I doing something wrong or maybe IPS feature is not supported under
>> OpenBSD??
>
>
> Sorry, suricata startup options:
>
> suricata -c suricata.yaml -d 8000
>
> And log:
>
> 14/12/2015 -- 14:49:02 - <Notice> - This is Suricata version 3.0RC2 RELEASE
> 14/12/2015 -- 14:49:03 - <Notice> - all 3 packet processing threads, 4
> management threads initialized, engine started.
AFAIK, the divert socket support only works with ipfw on FreeBSD and OSX.
Like said before, I'm not aware of any IPS solution for OpenBSD with
Suricata.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list