Hi folks,
Not sure if someone has already tried to make suricata work or used divert ?
But Suricata doesn't seem to receive any traffic on my box when running in
divert mode.
I may be screwing something with divert in my pf config since I'm never use it
before.
Any clue what could be done to investigate ?
### pf.conf
pass out quick on egress inet proto tcp to port 80 divert-packet port 700
block return
pass
### httpd.conf
server "mywebserver" {
listen on vmx0 port 80
root "/htdocs/website"
directory index "index.php"
}
suricata -v -c /etc/suricata/suricata.yaml -d 700
2/11/2020 -- 09:13:25 - <Notice> - This is Suricata version 5.0.3 RELEASE
running in SYSTEM mode
2/11/2020 -- 09:13:25 - <Info> - CPUs/cores online: 1
2/11/2020 -- 09:13:25 - <Info> - fast output device (regular) initialized:
fast.log
2/11/2020 -- 09:13:25 - <Info> - eve-log output device (regular) initialized:
eve.json
2/11/2020 -- 09:13:25 - <Info> - stats output device (regular) initialized:
stats.log
2/11/2020 -- 09:13:25 - <Info> - Running in live mode, activating unix socket
2/11/2020 -- 09:13:25 - <Info> - 8 rule files processed. 261 rules successfully
loaded, 0 rules failed
2/11/2020 -- 09:13:25 - <Info> - Threshold config parsed: 0 rule(s) found
2/11/2020 -- 09:13:25 - <Info> - 261 signatures processed. 0 are IP-only rules,
0 are inspecting packet payload, 90 inspect application layer, 103 are decoder
event only
2/11/2020 -- 09:13:25 - <Info> - Running in live mode, activating unix socket
2/11/2020 -- 09:13:25 - <Info> - Using unix socket file
'/var/run/suricata/suricata-command.socket'
2/11/2020 -- 09:13:25 - <Notice> - all 3 packet processing threads, 4
management threads initialized, engine started.
2/11/2020 -- 09:13:25 - <Info> - Thread 'RX-700' will run on port 700 (item 0)
^C2/11/2020 -- 09:13:59 - <Notice> - Signal Received. Stopping engine.
2/11/2020 -- 09:14:00 - <Info> - time elapsed 34.847s
2/11/2020 -- 09:14:01 - <Notice> - (RX-700) Treated: Pkts 0, Bytes 0, Errors 0
2/11/2020 -- 09:14:01 - <Notice> - (RX-700) Verdict: Accepted 0, Dropped 0
2/11/2020 -- 09:14:01 - <Info> - IPFW Processing: - (TX#00) Pkts accepted 0,
dropped 0
2/11/2020 -- 09:14:01 - <Info> - Alerts: 0
2/11/2020 -- 09:14:01 - <Info> - cleaning up signature grouping structure...
complete
// page is loaded but not surricata is not logging anything nor seeing any
packets
### curl -A 'asafaweb.com' http:// mywebserver /
### curl -H "`printf "Foo: bar\r\nblah"`" -v mywebserver
### curl -vvv -d '{' -H "Content-Type: app/badContent" -X POST
http://mywebserver
-----Message d'origine-----
De : Romain FABBRI
Envoyé : jeudi 29 octobre 2020 15:27
À : [email protected]
Objet : Correct way to implement an IDS between relayd and httpd
Hello misc users,
I'm trying to have my http SSL protocol to be terminated by relayd, and then
the resulting plain http protocol to be filtered by some WAF before being
passed to httpd I'm currently trying with suricata since it's in packages, but
I'm open to suggestions.
What would be the correct way to use an IDS between relayd and httpd ?
If anyone had some tips to do it correctly it would be really helpfull.
The goal design is :
[web client WEB TCP443] => [Relayd (public ip)] => [TCP8180 Suricata] =>
[TCP8080 Httpd]
I've currently managed to make relayd "relay to" httpd and it's working great !
However, I'm not to sure how do filtering with an IPS in the middle of relayd
and httpd...
It seems that suricata can be reading both an unix-socket file OR a network
interface
Could be running it :
suricata -i vmx0 -d 8080
=> but I would inspect all the trafic not just the HTTP protocol I got out of
relayd so I think it would be messy ?
=> not sure if it is possible to tell suricata to read from 8180, to filter
dangerous packets, and write output to 8180 per exemple ?
Maybe I could use socat to take relayd output (port TCP 8180) an bind it as a
sock file ?
socat -d -d TCP4-LISTEN:8180,fork UNIX-CONNECT:/var/suricata/suricata.sock
And then read from this socket and give output to httpd :
suricata -c /etc/suricata/suricata.yaml --unix-socket
/var/suricata/suricata.sock -d 8080
But I get an error : <Error> - [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(126)] - more
than one run mode has been specified
Pasted important parts of my working config without suricata in the middle, in
case it helps...
Using OpenBsd 7.8 stable
========================================
vi /etc/pf.conf
pass in on egress proto tcp from any to any port 80 pass in on egress proto tcp
from any to any port 443 ========================================
vi /etc/relayd.conf
relay "wwwsecure4" {
listen on $external_ipv4 port 443 tls
protocol wwwsecure
forward to 127.0.0.1 port 8080
}
========================================
vi /etc/httpd.conf:
server "preprod.alienconsulting.net" {
listen on 127.0.0.1 port 8080
root "/htdocs/notSoMuchTrustedWebsite"
directory index "index.php"
location "/*.php" {
fastcgi socket "/run/php-fpm.sock"
}
}
Regards,
Romain
