cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
openbsd-ports/security/suricata/pkg
History
sthen b6f656d580 Remove share/doc/suricata, the files it contains are all just a couple of 
lines redirecting readers to the website. ok gonzalo@
2020-01-22 10:21:47 +00:00
..
DESCR
PLIST
Remove share/doc/suricata, the files it contains are all just a couple of
2020-01-22 10:21:47 +00:00
README
typo in README suritcata->suricata
2019-03-29 16:53:20 +00:00
suricata.rc

README 

$OpenBSD: README,v 1.7 2019/03/29 16:53:21 sthen Exp $

+-----------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------

Starting suricata
=================

For normal use, you need to set first your interface and enable the
daemon:

# rcctl enable suricata
# rcctl set suricata flags -i em0

And you need the rules, these rules are expected to be present in the
${SYSCONFDIR}/suricata/rules directory as defined in
${SYSCONFDIR}/suricata/suricata.yaml.

Rule management
===============

It is possible to download and install rules manually, but there is a
much easier and quicker way to do so. There are special programs which
you can use for downloading and installing rules.

After installing the new rulesets described below, restart suricata to
pick up the new rules:

# rcctl restart suricata

Note that the installed rules have to be updated regularly by the program
used to fetch them initially. For example use cron to update the rules
every 24h.

suricata-update
---------------

suricata-update is the recommended way to install and update rules for
suricata. By default it will download the new rules into
${VARBASE}/suricata/rules/ .

Modify ${SYSCONFDIR}/suricata/suricata.yaml like this:

    default-rule-path: ${VARBASE}/suricata/rules/
    rule-files:
      - suricata.rules

And restart suricata:

# rcctl restart suricata

Oinkmaster
----------

The other common method is with Oinkmaster which can be installed with:

# pkg_add oinkmaster

There are several rulesets. There is for example Emerging Threats (ET)
Emerging Threats Pro and VRT. In this example we are using Emerging
Threats.

Oinkmaster has to know where the rules an be found. These rules can be
found at:

https://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

And you can download as follow:

# cd /etc && oinkmaster -C ${SYSCONFDIR}/oinkmaster.conf \
	-o ${SYSCONFDIR}/suricata/rules

Inline mode (IPS)
=================

In order to run suricata "inline" in Intrusion Prevention mode, the following
needs to be added to `/etc/pf.conf`:

	pass out quick on egress inet proto tcp to port 80 divert-packet port 700

Adjust this to match what traffic suricata will need to inspect as well as the
port to divert to.

To enable inline ipfw mode of suricata on port 700:

# rcctl set suricata flags -d 700

Outbound packets don't have a correct checksum yet due to checksum offloading,
therefore suricata will log "SURICATA TCPv4 invalid checksum" and ignore these
packets. To workaround this set the following in suricata.yaml:

	stream:
	  checksum-validation: yes

Also adjust the configuration to drop packets:

	- drop:
	  enabled: yes

(Re)start suricata for the changes to take effect. Note that ipfw mode is
mutually exclusive with pcap live mode (-i).