On Thu, Oct 08, 2009 at 12:27:46PM +0100, Richard Brooks wrote: > Hello, I am trying to get some up to date information on how to install and > configure Snort on a modern OpenBSD box. At the moment it seems that Snort > has only limited functionality for OpenBSD, and in general seems to prefer > either Linux or Windows. I have tried downloading and installing various > Snort related packages/ports from OpenBSD's ftp sites to my OpenBSD 4.5 box. > But have had to disable various pre-processor's and dynamic rules as the > libraries (shared objects) don't seem to be available for OpenBSD, also > Snort seems to prefer access control lists which currently are not a feature > of OpenBSD, am also having issues running Snort from the command line and > have to keep rebooting to see if a modification to Snort's configuration has > worked. > > I feel that I must surely be missing something. The OpenBSD OS was written > with security in mind. It's primary use must surely therefore be in the > field of network security devices? So why am I having such a hard time > finding information on how to use OpenBSD with Snort (the defacto open > source standard for IDS's and IPS's)? Surely OpenBSD must be good for more > security uses than just a firewall?
What, specifically, fails to work? OpenBSD has a snort package, I assume that will install without issues. Don't you get a working IDS just by installing the port (and updating the rules, if so desired)? What, specifically, are the issues? There is no support for the "queue packets to userspace" required by Snort's IPS mode in any released OpenBSD version (but see http://archives.neohapsis.com/archives/openbsd/cvs/2009-10/0067.html; I don't know how hard it would be to get Snort to work.) All told, though, I'm not convinced that IDSes are worth the time investment. Your situation may warrant one, however. Joachim
