Snort IPS IPFW

[Peter_APIIT]

Hello to all,

Anyone here had successfully deploy a fully functional Snort IPS using IPFW on OpenBSD?

Please share some thought. Thanks.

[jggimi]

This is not possible. IPFW requires FreeBSD or Linux.

[sacerdos_daemonis]

Quote:

What are the other method (daq) to deploy a fully functional Snort IPS on OpenBSD?

If this is true:

Quote:

Originally Posted by jggimi

This is not possible. IPFW requires FreeBSD or Linux.

What would be the "other" methods? Not possible means there is no first method. You appear to be asking the same question twice.

How can this be done?
It is not possible.
But how can I do it?


EDIT
I am assuming "fully functional Snort IPS" means including IPFW.

[Peter_APIIT]

IPFW has similar functionality in terms of divert packet. I though this can achieve on OpenBSD pf packet filter too.

What are the other method (daq) to deploy a fully functional Snort IPS on OpenBSD?

AFAIK, all daq are applicable to Linux netfilter and FreeBSD IPFW only.

[jggimi]

OpenBSD does not have IPFW, and there are no plans to add IPFW.

However, a skilled administrator can use Snort in inline mode, using pf(4) and divert(4).

http://marc.info/?t=137004380800001&r=1&w=2

[denta]

Out of curiosity, what services are you running that shall be "protected" with this snort installation?

[Peter_APIIT]

Quote:

Originally Posted by denta

Out of curiosity, what services are you running that shall be "protected" with this snort installation?

General protection. I don't have any web server, database server not ftp or sshd.

[denta]

Quote:

Originally Posted by Peter_APIIT

General protection. I don't have any web server, database server not ftp or sshd.

So basically, it sounds like the packets that would trigger snort alerts would have been blocked by pf anyway. Perhaps an alternative is the pf overload <table> statement, which allows you to automatically block certain IP:s, without the added effort and security risks of running snort on your external interface(s).

[Peter_APIIT]

Quote:

Originally Posted by denta

Perhaps an alternative is the pf overload <table> statement, which allows you to automatically block certain IP:s, without the added effort and security risks of running snort on your external interface(s).

Any concrete examples?
How to fill out the table with list of blocked ips?
My current pf block syntax is:
block drop log

By the way, this is my pf block log.

Quote:

Sep 14 20:52:56.301290 rule 4/(match) block in on pppoe0: 108.168.174.5.443 > 60.53.42.92.36431: FP 0:31(31) ack 1 win 514 <nop,nop,timestamp 2051785347 10995349> (DF)

Sep 14 20:53:33.017906 rule 4/(match) block in on pppoe0: 1.9.56.40.80 > 60.53.42.92.51352: F 2616242450:2616242450(0) ack 4124174253 win 494 (DF)
Sep 14 20:53:33.305442 rule 4/(match) block in on pppoe0: 1.9.56.40.80 > 60.53.42.92.51352: F 0:0(0) ack 1 win 494 (DF)
Sep 14 20:53:33.615651 rule 4/(match) block in on pppoe0: 1.9.56.40.80 > 60.53.42.92.51352: F 0:0(0) ack 1 win 494 (DF)
Sep 14 20:53:34.234846 rule 4/(match) block in on pppoe0: 1.9.56.40.80 > 60.53.42.92.51352: F 0:0(0) ack 1 win 494 (DF)

Quote:

The Email chain referenced included an example to test functionality, using ICMP traffic initiated from a test system.

The email chain from Lawrence showing there is pf inbound packet using pass in syntax but i don't have any pass in traffic to serve in my environment. I just want to check for every packet of outbound to the equivalent inbound packet for virus scanning and etc.

EDIT:
Layer 7 protocol inspection
policy filtering (or packet marking), TCP flag state filtering,

Thanks.

[Peter_APIIT]

Quote:

Originally Posted by jggimi

OpenBSD does not have IPFW, and there are no plans to add IPFW.

However, a skilled administrator can use Snort in inline mode, using pf(4) and divert(4).

http://marc.info/?t=137004380800001&r=1&w=2

Any concrete examples or explanation would be good?

[jggimi]

The Email chain referenced included an example to test functionality, using ICMP traffic initiated from a test system.