[Oisf-users] Suricata as IPS under OpenBSD

C. L. Martinez carlopmart at gmail.com
Tue Dec 15 15:00:39 UTC 2015

On Tue, Dec 15, 2015 at 10:31 AM, Oliver Humpage <oliver at watershed.co.uk> wrote:
>> I have managed to configure Suricata as an IPS for UDP and ICMP
>> packets, but not for TCP. The problem seems to come from the flag
>> state of the TCP packets activated by default by pf. I think if I can
>> change "flags S/SA keep state" for "keep state" only, it could works
> Not sure that’d help: if a packet matches a rule (but not a state), then state will be created for it. Thereafter all other packets in that state blindly have the same rule applied (eg be diverted, if it’s a divert-packet rule).
> Specifying S/SA just means that a random ACK packet won’t create state, only an initial SYN handshake packet. This helps block abnormal TCP flows, so should be kept in, but with normal traffic flows - eg your tests - you shouldn't notice the difference.
> However, I have a theory that only the outbound traffic is being diverted. Could you try either removing the “out” keyword from your rules, or put a second "pass out" rule on your internal interface to forward to the same port 8000 socket?
> When testing diverts, I popped perl on the box and used a test script like http://search.cpan.org/~atrak/Net-Divert-0.01/Divert.pm#EXAMPLES to print out the packet info each time it saw a packet. If you then send some traffic via nc(1) between two boxes you can see exactly what’s being diverted.

Uhmmm. No, it doesn't works also.

I have change my rules to these simple rules:

pass in divert-packet port 700
pass out all

... and it doesn't works for tcp. But works for udp and icmp ...

More information about the Oisf-users mailing list