[Oisf-users] Suricata as IPS under OpenBSD

[Oliver Humpage]

> On 14 Dec 2015, at 14:55, C.L. Martinez <carlopmart at gmail.com> wrote:
> 
> And result is: nothing ... Connections established to Google are not blocked ...
> 
> Am I doing something wrong or maybe IPS feature is not supported under OpenBSD??

I udnerstand what Julien says, and obviously he’s more knowledgeable then me :) But, if the divert socket wasn’t working properly, I’d expect *nothing* to pass, since if a diverted packet isn’t processed properly it’ll never re-appear.

Two things I can think of:

1. Another pf rule is taking precedence (eg if you have a plain “pass” rule further down? Is that the full ruleset you posted?) If you do a pfctl -s rules -vv, can you see that packets are matching your divert rule?

2. Google.com is https enabled, so won’t match. I generally test with a rule that matches some random string in a URI, then appending that string into any normal http URL to see if it gets blocked (you can amend the first “google image search” rule in emerging-inappropriate to create your custom rule in local.rules)

Like I said, if pfctl reports that packets are being diverted, and suricata reports that it’s seeing packets (bear in mind it often writes to logs in batches, so you may not see log lines immediately), then I would expect IPS to work.

Oliver.