[Oisf-users] Some problems with Suricata 3.1 using divert sockets
Victor Julien
lists at inliniac.net
Thu Jul 7 13:46:44 UTC 2016
On 07-07-16 15:41, C. L. Martinez wrote:
> Hi all,
>
> I have installed Suricata 3.1 under an OpenBSD 5.9 (fully patched) host to act as an IPS. I have configured pf to work with divert sockets:
>
> block all
> pass in inet proto tcp from 172.22.55.4 to !<internal_networks> tag
> intlans-to-inet
> pass out quick on egress inet proto { tcp icmp udp } from 172.22.55.4
> divert-packet port 8000 nat-to (vio1:0)
>
> And I have configured a test rule with the following content:
>
> drop tcp any any -> any any (msg:"OSNews is blocked"; content:"osnews.com"; http_header; nocase; classtype:policy-violation; sid:1;)
>
> ... but it doesn't works: Suricata doesn't trigger any alert (at this moment HOME_NET and EXTERNAL_NET have an "any"). Suricata is compiled with the following options:
>
> root at obsdtest:/var/log/suricata# suricata --build-info
> This is Suricata version 3.1 RELEASE
> Features: IPFW PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON
> SIMD support: none
> Atomic intrisics: none
> 64-bits, Little-endian architecture
> GCC version 4.2.1 20070719 , C version 199901
> compiled with _FORTIFY_SOURCE=2
> L1 cache line size (CLS)=64
> thread local storage method: pthread key
> compiled with LibHTP v0.5.20, linked against LibHTP v0.5.20
>
> Suricata Configuration:
> AF_PACKET support: no
> PF_RING support: no
> NFQueue support: no
> NFLOG support: no
> IPFW support: yes
> Netmap support: no
> DAG enabled: no
> Napatech enabled: no
>
> Unix socket enabled: yes
> Detection enabled: yes
>
> libnss support: yes
> libnspr support: yes
> libjansson support: yes
> hiredis support: no
> Prelude support: no
> PCRE jit: yes
> LUA support: yes, through luajit
> libluajit: yes
> libgeoip: yes
> Non-bundled htp: no
> Old barnyard2 support: no
> CUDA enabled: no
> Hyperscan support: no
> Libnet support: yes
>
> Suricatasc install: no
>
> Profiling enabled: no
> Profiling locks enabled: no
>
> Development settings:
> Coccinelle / spatch: no
> Unit tests enabled: no
> Debug output enabled: no
> Debug validation enabled: no
>
> Generic build parameters:
> Installation prefix: /opt/suricata
> Configuration directory: /etc/suricata/
> Log directory: /var/log/suricata/
>
> --prefix /opt/suricata
> --sysconfdir /etc
> --localstatedir /var
>
> Host: x86_64-unknown-openbsd5.9
> Compiler: gcc (exec name) / gcc (real)
> GCC Protect enabled: yes
> GCC march native enabled: no
> GCC Profile enabled: no
> Position Independent Executable enabled: yes
> CFLAGS -g -O2 -D__OpenBSD__
> PCAP_CFLAGS
> SECCFLAGS -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
>
>
>
> Maybe exists some type of bug with divert sockets and Suricata??
I don't remember the reason, but I think our divert socket support has
never worked with OpenBSD. FreeBSD for sure and OSX as well IIRC.
If anyone remembers why it never worked, please chime in!
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list