OpenBSD dropping individual packets

2006-12-22 Thread Richard Thornton 

Hi

OpenBSD rocks and I have donated to this great cause :-)

Hope you can help.  So I have the following setup:

 DMZ
|
|
LAN-OpenBSD/PF/Snort?--Internet

So in a nutshell I want to drop packets (not sessions) that match a IDS
signature after PF filtering.

So for example (PF is a Layer 3 filter):

1. A PF rule allows SMTP to the DMZ from the Internet
2. SMTP traffic is permitted by PF
3. IDS detects an attack packet that would be permitted by the above
rule
4. System (Snort) drops only the matching attack packets

So AFAIK flexresp, snortsam, snort2pf and guardian are out.

Snort has to be inline, which it is, so can I drop single packets after
PF filtering that match a signature?

Is this available currently, if so, how do I go about it, can something
be put together?

Thanks for your time.

Cheers
Richard

Re: OpenBSD dropping individual packets

2006-12-22 Thread Jason George 
Hi

OpenBSD rocks and I have donated to this great cause :-)

Hope you can help.  So I have the following setup:

  DMZ
 |
 |
LAN-OpenBSD/PF/Snort?--Internet

So in a nutshell I want to drop packets (not sessions) that match a IDS
signature after PF filtering.

So for example (PF is a Layer 3 filter):

1. A PF rule allows SMTP to the DMZ from the Internet
2. SMTP traffic is permitted by PF
3. IDS detects an attack packet that would be permitted by the above
rule
4. System (Snort) drops only the matching attack packets

So AFAIK flexresp, snortsam, snort2pf and guardian are out.

Snort has to be inline, which it is, so can I drop single packets after
PF filtering that match a signature?

Is this available currently, if so, how do I go about it, can something
be put together?



http://www.openbeer.it/?open=pq

Unfortunately, this code is likely stale in certain areas, as it has not been 
updated in just over a year.  The first thing that would have to be done is to 
sync the code against at least 4.0, then patches for snort would have to be 
re-done.

From the README:

-[ Userspace Packet Queueing ]-

by Michele 'mydecay' Marchetto
[EMAIL PROTECTED]

1. Content

* Kernel patch (3.8-stable)
* libpq
* pfctl patch (3.8-stable)
* /usr/include patch (3.8-stable)
* snort_inline patch (2.1.3b)
* stats tools

2. Features

* This series of patches allow you to queue packet to userspace,
specifying pf rules accordingly. This let you use tools like
snort_inline, or even make use of self-made tools based on libpq.

3. Version

This is the very first version of this infrastructure, so it is
very very very (very) experimental. Discussion about bugs, features
and other things related, can take place on [EMAIL PROTECTED] For
everything else, feel free to mail me. Bugs report are welcome.

4. BUGS!

This beta version does not support IPSec. This is the first thing
that will be fixed in the next version.
The 3.8 version seems to work well on layer 2 and 3, even mixed with
altq. Pfsync untested.

5. Installation

To compile correctly snort_inline you need to install libpcre, gmake and
libnet 1.0.x from ports or packages.

Apply all the patches, and then build libpq with make  make install 
make clean. Then you are able to work with the infrastructure.
It is important to note that snort_inline myst be compiled with gmake
instead of make, and you must create by yourself the log directory.
Run snort_inline with -Q argument.