[Oisf-users] Using Suricata with OpenBSD HA Firewalls

Brian Keefer chort at effu.se
Mon Nov 28 15:25:47 UTC 2016


If you’re running for only IDS, not IPS, you could use a dup-to rule on each firewall to send all traffic to another IP, which should probably be on a third box/instance. Run Suricata on that box.

I’m probably not explaining it very well, but he’s an example of a similar setup: https://taosecurity.blogspot.com/2005/07/distributed-traffic-collection-with-pf.html

> On Nov 28, 2016, at 2:50 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
> 
> Hi all,
> 
> I have installed Suricata 3.1.3 release in a pair of OpenBSD CARP'ed firewalls (for HA availability). My idea is to sniff/monitor only internal connections, but I have a doubt about what interface I need to configure for suricata. My first test was to sniff/monitor physical interface running suricata with -i switch, but I received a lot of alerts like these:
> 
> 11/23/2016-15:43:31.527739  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 74.125.206.109:587 -> 172.22.55.1:41040
> 11/23/2016-15:43:31.527767  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 74.125.206.108:587 -> 172.22.55.1:38884
> 11/23/2016-15:43:31.563236  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 74.125.206.109:587 -> 172.22.55.1:41044
> 11/23/2016-15:43:41.353930  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 74.125.206.109:587 -> 172.22.55.1:41048
> 11/23/2016-15:43:41.353952  [**] [1:2260002:1] SURICATA Applayer Detect protocol only one direction [**] [Classification: Generic Protocol Command Decode] [Priority: 3] {TCP} 74.125.206.109:587 -> 172.22.55.1:41046
> 
> .. which it is certainly true, because these OpenBSD firewalls are configured to balance traffic ... Changing to use carp interfaces, no alert is triggered but suricata sees packets:
> 
> 28/11/2016 -- 08:08:34 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
> 28/11/2016 -- 10:19:29 - <Notice> - Signal Received.  Stopping engine.
> 28/11/2016 -- 10:19:30 - <Info> - time elapsed 7855.809s
> 28/11/2016 -- 10:19:31 - <Info> - (W#01-carp0) Packets 55962, bytes 6297178
> 28/11/2016 -- 10:19:31 - <Info> - (W#01-carp0) Pcap Total:55962 Recv:55962 Drop:0 (0.0%).
> 28/11/2016 -- 10:19:31 - <Info> - (W#01-carp3) Packets 2, bytes 84
> 28/11/2016 -- 10:19:31 - <Info> - (W#01-carp3) Pcap Total:2 Recv:2 Drop:0 (0.0%).
> 28/11/2016 -- 10:19:31 - <Info> - (W#01-carp5) Packets 2, bytes 84
> 28/11/2016 -- 10:19:31 - <Info> - (W#01-carp5) Pcap Total:2 Recv:2 Drop:0 (0.0%).
> 28/11/2016 -- 10:19:31 - <Info> - cleaning up signature grouping structure... complete
> 28/11/2016 -- 10:19:31 - <Notice> - Stats for 'carp0':  pkts: 55962, drop: 0 (0.00%), invalid chksum: 0
> 28/11/2016 -- 10:19:31 - <Notice> - Stats for 'carp3':  pkts: 2, drop: 0 (0.00%), invalid chksum: 0
> 28/11/2016 -- 10:19:31 - <Notice> - Stats for 'carp5':  pkts: 2, drop: 0 (0.00%), invalid chksum: 0
> 
> Arrived to this point, I am not sure what interface I need to configure under Suricata. Any idea or tip?
> 
> Thanks
> 
> -- 
> Greetings,
> C. L. Martinez
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://suricon.net



--
chort






More information about the Oisf-users mailing list