|
|||
Snort IPS IPFW
Hello to all,
Anyone here had successfully deploy a fully functional Snort IPS using IPFW on OpenBSD? Please share some thought. Thanks. |
|
|||
IPFW has similar functionality in terms of divert packet. I though this can achieve on OpenBSD pf packet filter too.
What are the other method (daq) to deploy a fully functional Snort IPS on OpenBSD? AFAIK, all daq are applicable to Linux netfilter and FreeBSD IPFW only. |
|
||||
OpenBSD does not have IPFW, and there are no plans to add IPFW.
However, a skilled administrator can use Snort in inline mode, using pf(4) and divert(4). http://marc.info/?t=137004380800001&r=1&w=2 |
|
|||
Out of curiosity, what services are you running that shall be "protected" with this snort installation?
|
|
|||
General protection. I don't have any web server, database server not ftp or sshd.
|
|
|||
Quote:
|
|
|||
So basically, it sounds like the packets that would trigger snort alerts would have been blocked by pf anyway. Perhaps an alternative is the pf overload <table> statement, which allows you to automatically block certain IP:s, without the added effort and security risks of running snort on your external interface(s).
|
|
|||
Quote:
How to fill out the table with list of blocked ips? My current pf block syntax is: block drop log By the way, this is my pf block log. Quote:
Quote:
EDIT: Layer 7 protocol inspection policy filtering (or packet marking), TCP flag state filtering, Thanks. Last edited by Peter_APIIT; 14th September 2015 at 01:40 PM. |
|
||||
These are blocks of valid ACK packets. This was discussed in one of your other threads last week. Perhaps you missed the discussion, Peter?
If so, start reading HERE: http://daemonforums.org/showthread.php?t=9350#post56318 |
|
|||
Sorry to dredge up an old thread, but as I've had some success with this, and haven't seen anything newer, I thought I'd post some information for anyone who needs it.
As noted above, pf can redirect packets from kernel space to user space using divert packets, like the following (on a box placed between the world and the gateway machine): Code:
WAN_IF=em0 LAN_IF=em1 LON_IF=lo0 # the gateway WAN address GATEWAY="192.168.1.2" set skip on $LON_IF set skip on $LAN_IF block in all block out all # Allow IPS to communicate with the world for Snort rule updates, etc. pass out on $WAN_IF from ($WAN_IF) to any pass on $WAN_IF from $GATEWAY to any binat-to ($WAN_IF:0) divert-packet port 700 The key is the "divert-packet" statement (NOT "divert-to" or "divert-reply"), which redirects all packets passing through the IPS to divert socket 700. Without anything listening on that socket and re-injecting the packets, nothing should pass through. On the Snort side, the use of the "ipfw" Snort data acquisition, or daq, module (unfortunately named; I think this has led to some confusion) is essential. On other platforms, Snort can use the "afpacket" daq for inline (IPS) service, but this isn't available on OpenBSD at this point. Within the "snort.conf" file, Snort can be configured to make use of divert sockets and run inline as follows: Code:
config policy_mode: inline config daq_dir: /usr/local/lib/daq/ config daq: ipfw config daq_mode: inline config daq_var: port=700 Code:
/usr/local/bin/snort -D -c /etc/snort/snort.conf -Q -u _snort -g _snort -t /var/snort -l /var/snort/log This ISN'T a comprehensive description of snort configuration or rule generation. I use pulledpork.pl run via cron on a daily basis to generate a unified "snort.rules" file and download/keep rules up to date, to choose the "ips_policy" level (which selects the rules enabled for IPS duty), and to modify rules from "alert" to "drop" with pulledpork's "dropsid" functionality. And I'm still experimenting with Snort configurations for improving performance. But that's basically it. As for why anyone would do this: Firewalls are basically whitelisting devices. They allow certain traffic through if the source/destination addresses and ports are right, and packets themselves aren't malformed (of course, they're also useful for rate limiting and traffic shaping, etc.). However, firewalls can't detect whether the content of traffic sent to/from correct addresses and ports is nonetheless malicious. That's where signature-based deep-packet inspection and blacklisting can add additional protection. A few notes:
Last edited by JVWilliams; 19th April 2017 at 04:32 PM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Snort Install from Source no configuration | Peter_APIIT | OpenBSD Packages and Ports | 2 | 18th August 2015 07:02 AM |
Snort Daemon not running | Peter_APIIT | OpenBSD Packages and Ports | 7 | 30th June 2015 12:32 PM |
Snort 2.9.1 improves protocol handling | J65nko | News | 0 | 30th August 2011 12:26 AM |
PF + SNORT on one machine | WeakSauceIII | OpenBSD Security | 5 | 30th July 2009 09:02 AM |
snort install error | ijk | FreeBSD Installation and Upgrading | 1 | 11th August 2008 10:53 AM |