>Hi > >OpenBSD rocks and I have donated to this great cause :-) > >Hope you can help. So I have the following setup: > > DMZ > | > | >LAN-----OpenBSD/PF/Snort?------Internet > >So in a nutshell I want to drop packets (not sessions) that match a IDS >signature after PF filtering. > >So for example (PF is a Layer 3 filter): > >1. A PF rule allows SMTP to the DMZ from the Internet >2. SMTP traffic is permitted by PF >3. IDS detects an attack packet that would be permitted by the above >rule >4. System (Snort) drops only the matching attack packets > >So AFAIK flexresp, snortsam, snort2pf and guardian are out. > >Snort has to be inline, which it is, so can I drop single packets after >PF filtering that match a signature? > >Is this available currently, if so, how do I go about it, can something >be put together?
http://www.openbeer.it/?open=pq Unfortunately, this code is likely stale in certain areas, as it has not been updated in just over a year. The first thing that would have to be done is to sync the code against at least 4.0, then patches for snort would have to be re-done. >From the README: -[ Userspace Packet Queueing ]- by Michele 'mydecay' Marchetto <[EMAIL PROTECTED]> 1. Content * Kernel patch (3.8-stable) * libpq * pfctl patch (3.8-stable) * /usr/include patch (3.8-stable) * snort_inline patch (2.1.3b) * stats tools 2. Features * This series of patches allow you to queue packet to userspace, specifying pf rules accordingly. This let you use tools like snort_inline, or even make use of self-made tools based on libpq. 3. Version This is the very first version of this infrastructure, so it is very very very (very) experimental. Discussion about bugs, features and other things related, can take place on [EMAIL PROTECTED] For everything else, feel free to mail me. Bugs report are welcome. 4. BUGS! This beta version does not support IPSec. This is the first thing that will be fixed in the next version. The 3.8 version seems to work well on layer 2 and 3, even mixed with altq. Pfsync untested. 5. Installation To compile correctly snort_inline you need to install libpcre, gmake and libnet 1.0.x from ports or packages. Apply all the patches, and then build libpq with make && make install && make clean. Then you are able to work with the infrastructure. It is important to note that snort_inline myst be compiled with gmake instead of make, and you must create by yourself the log directory. Run snort_inline with -Q argument.
