Hi
Built Suricata from sources with "ipfw divert-sockets" support on
OpenBSD 5.4. After that I did some efforts to make suricata working with
"divert-packet" directive for divert sockets PF.conf.
I've added the rule below into pf.conf as man dirvert(4) recommend (I
tried this PF rule on 80 port and on all ports as listed below):
pass out on $ext_if inet proto tcp divert-packet port 8000
afterwards I ran Suricata to listen with "-d 8000" directive.
Waiting for some foreground output from suricata was redirected from PF
divert, but it seems to be nothing provided from DPI engine because of
difference in divert algorithms from PF and IPFW which has been
supported by suricata.
I don't know what the difference with PF and IPFW divert rules in
nature. Does IPFW divert-sockets completely different than PF
divert-packet realization?
Has somebody successful experiment with Suricata and PF on OpenBSD by
using divert(4)?
But suricata successful listening on any OpenBSD system interface with
"-i interface-name" directive. So I can see full output of packet
processing while suricata foreground running but not from PF.
Thanks.
Denis
On 05.03.2015 8:20, sadegh solati wrote:
Hi
Google is your best friend to obtain info about every thing.
anyway .i will give some info about how to use divert.
pf is a part of kernel and the kernel has it's own memory space which
cannot be acessed by users applications.
suricata and snort are user level applications. for doing inspection
they need data , thus you need a tool to copy data from kernel memory
space to user memory space. this tool is divert.
using divert has some limitations.
for example:
1-copying data takes a lot of time.
2-you can pass or drop the packet. altering the packets will cause tcp
desyncronization
3- for saving resources you might want to do NAT after the packets
were inspected. this is not possible because the pf will ignore
reinjected packet from divert for preventing loops(be diverted again).
there is a guide on suricata redmine for how to use divert in freebsd
and ipfw,it also works on openBSD and pf. you canuse some thing like
this in you pf.conf
pass in quick from any to any port 80 divert-packet 8080 keep state
for more info Google is your friend
regards
Sadegh
On Wednesday, March 4, 2015, Denis Lapshin <[email protected]
<mailto:[email protected]>> wrote:
Just have read about Snort and Suricata engines. The second one
looks more productive in DPI task because of utilizing
multi-thread algorithms.
Coult you explain a bit more about "divert" with Suricata to make
an inline DPI engine.
Thanks
On 04.03.2015 20:06, sadegh solati wrote:
hi,
you can use divert with snort or suricata.
you can make an inline IPS using them.
On Wednesday, March 4, 2015, Denis Lapshin <[email protected]
<javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote:
Hi there!
Interesting in how to make Deep Packet analyzing engine for
my OpenBSD box. I'm currently using PF to perform IP headers
manipulation. But sometimes I need analyze packets data while
packet traversal.
Please give some recommendations.
Thanks.
--
Denis
--
Denis
--
Denis
