[Oisf-users] Suricata as IPS under OpenBSD
C.L. Martinez
carlopmart at gmail.com
Mon Dec 14 15:35:22 UTC 2015
On 12/14/2015 03:08 PM, Victor Julien wrote:
> On 14-12-15 15:59, C.L. Martinez wrote:
>> On 12/14/2015 02:55 PM, C.L. Martinez wrote:
>>> On 12/10/2015 04:53 PM, Oliver Humpage wrote:
>>>>
>>>>> On 10 Dec 2015, at 16:34, C.L. Martinez <carlopmart at gmail.com> wrote:
>>>>>
>>>>>
>>>>> Thanks Oliver. Suricata can be installed under OpenBSD without major
>>>>> issues. But it is not possible to use ipfw (it is only supported
>>>>> under FreeBSD) and divert option works differently in OpenBSD than it
>>>>> does in FreeBSD as you can see here:
>>>>> http://lteo.net/blog/2015/01/06/dissecting-openbsds-divert-4-part-1-introduction/
>>>>>
>>>>>
>>>>
>>>> "OpenBSD divert(4) is meant to be compatible with software running on
>>>> top of FreeBSD's divert sockets"
>>>>
>>>> I really thought I’d had suricata running on OpenBSD + pf +
>>>> divert-packet at some point during my testing. Maybe I’m misremembering.
>>>>
>>>> However, all the userspace switching of divert meant I’ve now moved to
>>>> netmap on FreeBSD (and although FreeBSD does support CARP, I dread to
>>>> think what would happen to carp on netmap-enabled interfaces - plus,
>>>> in my time, I’ve seen far more crashes *caused* by carp than all other
>>>> failures put together!).
>>>>
>>>> Oliver.
>>>>
>>>
>>> Ok,
>>>
>>> Returning to this thread. I have installed a new OpenBSD 5.8 (fully
>>> patched) virtual machine to test suricata as IPS.
>>>
>>> I have compiled suricata with the following options without problems:
>>>
>>> ./configure --prefix=/opt/suricata --enable-gccprotect --enable-ipfw
>>> --enable-luajit --enable-geoip
>>>
>>> Result is:
>>>
>>>
>>> root at obsdtest:~/docs# suricata --build-info
>>> This is Suricata version 3.0RC2 RELEASE
>>> Features: IPFW PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT
>>> LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA
>>> HAVE_LUAJIT HAVE_LIBJANSSON
>>> SIMD support: SSE_3
>>> Atomic intrisics: none
>>> 64-bits, Little-endian architecture
>>> GCC version 4.2.1 20070719 , C version 199901
>>> compiled with _FORTIFY_SOURCE=2
>>> L1 cache line size (CLS)=64
>>> thread local storage method: pthread key
>>> compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18
>>>
>>> Suricata Configuration:
>>> AF_PACKET support: no
>>> PF_RING support: no
>>> NFQueue support: no
>>> NFLOG support: no
>>> IPFW support: yes
>>> Netmap support: no
>>> DAG enabled: no
>>> Napatech enabled: no
>>>
>>> Unix socket enabled: yes
>>> Detection enabled: yes
>>>
>>> libnss support: yes
>>> libnspr support: yes
>>> libjansson support: yes
>>> hiredis support: no
>>> Prelude support: no
>>> PCRE jit: yes
>>> LUA support: yes, through luajit
>>> libluajit: yes
>>> libgeoip: yes
>>> Non-bundled htp: no
>>> Old barnyard2 support: no
>>> CUDA enabled: no
>>>
>>> Suricatasc install: no
>>>
>>> Unit tests enabled: no
>>> Debug output enabled: no
>>> Debug validation enabled: no
>>> Profiling enabled: no
>>> Profiling locks enabled: no
>>> Coccinelle / spatch: no
>>>
>>> Generic build parameters:
>>> Installation prefix: /opt/suricata
>>> Configuration directory: /opt/suricata/etc/suricata/
>>> Log directory:
>>> /opt/suricata/var/log/suricata/
>>>
>>> --prefix /opt/suricata
>>> --sysconfdir /opt/suricata/etc
>>> --localstatedir /opt/suricata/var
>>>
>>> Host: x86_64-unknown-openbsd5.8
>>> Compiler: gcc (exec name) / gcc (real)
>>> GCC Protect enabled: yes
>>> GCC march native enabled: yes
>>> GCC Profile enabled: no
>>> Position Independent Executable enabled: no
>>> CFLAGS -g -O2 -D__OpenBSD__
>>> -march=native
>>> PCAP_CFLAGS
>>> SECCFLAGS -fstack-protector
>>> -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
>>>
>>> PF rules to test IPS this feature:
>>>
>>> pass out on egress inet proto tcp all flags S/SA keep state (if-bound)
>>> scrub (reassemble tcp) tagged intlans-to-inet divert-packet port 8000
>>> pass out on egress inet proto icmp all keep state (if-bound) scrub
>>> (reassemble tcp) tagged intlans-to-inet divert-packet port 8000
>>> pass out on egress inet proto udp all keep state (if-bound) scrub
>>> (reassemble tcp) tagged intlans-to-inet divert-packet port 8000
>>>
>>> Rule used in this test:
>>>
>>> drop tcp any any -> any any (msg:"Google is blocked";
>>> content:"google.com"; http_header; nocase; classtype:policy-violation;
>>> sid:1;)
>>>
>>> And result is: nothing ... Connections established to Google are not
>>> blocked ...
>>>
>>> Am I doing something wrong or maybe IPS feature is not supported under
>>> OpenBSD??
>>
>>
>> Sorry, suricata startup options:
>>
>> suricata -c suricata.yaml -d 8000
>>
>> And log:
>>
>> 14/12/2015 -- 14:49:02 - <Notice> - This is Suricata version 3.0RC2 RELEASE
>> 14/12/2015 -- 14:49:03 - <Notice> - all 3 packet processing threads, 4
>> management threads initialized, engine started.
>
> AFAIK, the divert socket support only works with ipfw on FreeBSD and OSX.
>
> Like said before, I'm not aware of any IPS solution for OpenBSD with
> Suricata.
>
Thanks Victor, then, I return to my original question: will be possible
to add this feature for OpenBSD for future releases??
More information about the Oisf-users
mailing list