|
|
|||
Snort IPS IPFW
Hello to all,
Anyone here had successfully deploy a fully functional Snort IPS using IPFW on OpenBSD? Please share some thought. Thanks. |
|
|||
IPFW has similar functionality in terms of divert packet. I though this can achieve on OpenBSD pf packet filter too.
What are the other method (daq) to deploy a fully functional Snort IPS on OpenBSD? AFAIK, all daq are applicable to Linux netfilter and FreeBSD IPFW only. |
|
||||
OpenBSD does not have IPFW, and there are no plans to add IPFW.
However, a skilled administrator can use Snort in inline mode, using pf(4) and divert(4). http://marc.info/?t=137004380800001&r=1&w=2 |
|
|||
Out of curiosity, what services are you running that shall be "protected" with this snort installation?
|
|
|||
General protection. I don't have any web server, database server not ftp or sshd.
|
|
|||
So basically, it sounds like the packets that would trigger snort alerts would have been blocked by pf anyway. Perhaps an alternative is the pf overload <table> statement, which allows you to automatically block certain IP:s, without the added effort and security risks of running snort on your external interface(s).
|
|
|||
Quote:
How to fill out the table with list of blocked ips? My current pf block syntax is: block drop log By the way, this is my pf block log. Quote:
Quote:
EDIT: Layer 7 protocol inspection policy filtering (or packet marking), TCP flag state filtering, Thanks. Last edited by Peter_APIIT; 14th September 2015 at 01:40 PM. |
|
|||
Quote:
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Snort Install from Source no configuration | Peter_APIIT | OpenBSD Packages and Ports | 2 | 18th August 2015 07:02 AM |
Snort Daemon not running | Peter_APIIT | OpenBSD Packages and Ports | 7 | 30th June 2015 12:32 PM |
Snort 2.9.1 improves protocol handling | J65nko | News | 0 | 30th August 2011 12:26 AM |
PF + SNORT on one machine | WeakSauceIII | OpenBSD Security | 5 | 30th July 2009 09:02 AM |
snort install error | ijk | FreeBSD Installation and Upgrading | 1 | 11th August 2008 10:53 AM |