[Oisf-users] Suricata as IPS under OpenBSD

Oliver Humpage oliver at watershed.co.uk
Tue Dec 15 10:31:03 UTC 2015


> I have managed to configure Suricata as an IPS for UDP and ICMP
> packets, but not for TCP. The problem seems to come from the flag
> state of the TCP packets activated by default by pf. I think if I can
> change "flags S/SA keep state" for "keep state" only, it could works

Not sure that’d help: if a packet matches a rule (but not a state), then state will be created for it. Thereafter all other packets in that state blindly have the same rule applied (eg be diverted, if it’s a divert-packet rule).

Specifying S/SA just means that a random ACK packet won’t create state, only an initial SYN handshake packet. This helps block abnormal TCP flows, so should be kept in, but with normal traffic flows - eg your tests - you shouldn't notice the difference.

However, I have a theory that only the outbound traffic is being diverted. Could you try either removing the “out” keyword from your rules, or put a second "pass out" rule on your internal interface to forward to the same port 8000 socket?

When testing diverts, I popped perl on the box and used a test script like http://search.cpan.org/~atrak/Net-Divert-0.01/Divert.pm#EXAMPLES to print out the packet info each time it saw a packet. If you then send some traffic via nc(1) between two boxes you can see exactly what’s being diverted.

Oliver.




More information about the Oisf-users mailing list