Re: Suricata from packages
On 2020-01-21 18:49, Stuart Henderson wrote: On 2020-01-21, b2...@zonbie.net wrote: To START suricata in live mode - Do this (as root): #suricata -v -c /etc/suricata/suricata.yaml -i em0 & Well, that's one way. Or you can use the OS mechanisms. To STOP suricata: pgrep suricata and kill -9 the pid returned. Why pgrep then kill when you can just pkill? -9 is a bit of a big hammer and doesn't give things a chance to close cleanly. Noted. I will use pkill. Thanks. Zann
Re: Suricata from packages
On 2020-01-18 07:08, Eric Zylstra wrote: On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot wrote: On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote: OpenBSD 6.6 Generic.MP amd64 Stable. I installed suricata using pkg_add. Having trouble with starting it. $ doas rcctl start suricata …fails. No informative fail message, though. Run rcctl in debug mode. Notable that man rcctl(8) does not contain the word “debug”. I had to do a web search to confirm the -d argument was what I needed to get debug output. Greetings, I use Suricata from Packages for a while now. No real changes to configs. I don't use /etc/rc.d/suricata at all. To START suricata in live mode - Do this (as root): #suricata -v -c /etc/suricata/suricata.yaml -i em0 & (please substitute your collection I/F as needed. Mine is em0 as in the example above) Let that stew for a while but you can hit enter to get back to your prompt. To STOP suricata: pgrep suricata and kill -9 the pid returned. If I may add: Be sure to keep an eye on your logs as they will grow beyond bounds (/var/logs/suricata/). I generate eve.json at about 6GB in size in about 10 days. Regards, Zann
Re: Suricata from packages
On 2020-01-18 07:08, Eric Zylstra wrote: On Jan 18, 2020, at 6:42 AM, Antoine Jacoutot wrote: On Fri, Jan 17, 2020 at 11:24:22PM -0600, Eric Zylstra wrote: OpenBSD 6.6 Generic.MP amd64 Stable. I installed suricata using pkg_add. Having trouble with starting it. $ doas rcctl start suricata …fails. No informative fail message, though. Run rcctl in debug mode. Notable that man rcctl(8) does not contain the word “debug”. I had to do a web search to confirm the -d argument was what I needed to get debug output. Greetings, I use Suricata from Packages for a while now. No real changes to configs. I don't use /etc/rc.d/suricata at all. To START suricata in live mode - Do this (as root): #suricata -v -c /etc/suricata/suricata.yaml -i em0 & (please substitute your collection I/F as needed. Mine is em0 as in the example above) Let that stew for a while but you can hit enter to get back to your prompt. To STOP suricata: pgrep suricata and kill -9 the pid returned. If I may add: Be sure to keep an eye on your logs as they will grow beyond bounds (/var/logs/suricata/). I generate eve.json at about 6GB in size in about 10 days. Regards, Zann
Re: What is you motivational to use OpenBSD
On 2019-08-28 07:47, Raul Miller wrote: I would fix the issue, or use something else to get that done or abandon that project. (I am not sure why you would imagine that using OpenBSD implies not using other operating systems. It's *because* I use other operating systems that I like using OpenBSD.) Thanks, So many good points brought up. Along with all that has been mentioned, I use OpenBSD because there are no surprises when you install a service. The service is not started until you start it. Even if it started inadvertently, the config will have 'sane' defaults and not get you breached. My OpenBSD start: I was running Untangle (based on Debian Linux) back in 2009 while looking for a PC-based router of some sort. I read Dru Lavigne's 'BSD Hacks' and found some things that I wanted my router to do using OpenBSD that Linux couldn't do (at least without recompiling the kernel). After that I was onto OpenBSD 4.6 with some early 'bump in the wire' devices in front of my Linux firewalls. I also read Michael W. Lucas OpenBSD books - lots of info. Then around 2010 I started using only OpenBSD as my firewall. I studied and built the pf rules up (thanks Peter N.M. Hansteen) so that I had confidence in placing OpenBSD on the open Internet as my only protection. These days I use only OpenBSD for all my server builds. This includes router/firewall (pf), http webserver (in base), and OpenVPN servers. If there is anything I place on the open Internet - it is an OpenBSD build. No other. Truthfully, you'll never know how good OpenBSD is until you try it. That's what I did. Thank you. Zann (at zonbie-dot-net)
Re: Best 1Gbe NIC
On 2019-08-02 08:26, Claudio Jeker wrote: On Fri, Aug 02, 2019 at 12:28:58PM +0100, Andy Lemin wrote: Ahhh, thank you! I didn’t realise this had changed and now the drivers are written with full knowledge of the interface. That is an overstatement but we know for sure a lot more about these cards then many other less open ones. So that would make Intel Server NICs (i350 for example) some of the best 1Gbe cards nowadays then? They are well supported by OpenBSD as are many other server nics like bge and bnx. I would not call them best, when it comes to network cards it seems to be a race to the bottom. All chips have stuff in them that is just not great. em(4) for example needs a major workaround because the buffersize is specified by a bitfield. My view is more pessimistic, all network cards are shit there are just some that are less shitty. Also I prefer to use em(4) over most other gigabit cards. -- :wq Claudio Amen to that!! Especially Intel EIG44ET2 4-port GbE Nic. Zann Sent from a teeny tiny keyboard, so please excuse typos > On 2 Aug 2019, at 09:52, Jonathan Gray wrote: > >> On Fri, Aug 02, 2019 at 09:19:09AM +0100, Andy Lemin wrote: >> Hi list, >> >> I know this is a rather classic question, but I have searched a lot on this again recently, and I just cannot find any conclusive up to date information? >> >> I am looking to buy the best 1Gbe NIC possible for OpenBSD and the only official comments I can find relate to 3COM for ISA, or community consensus towards Chelsio for 10Gbe. >> >> I know Intel works ok and I???ve used the i350???s before, but my understanding is that Intel still doesn???t provide the documentation for their NICs and so the emX driver is reverse engineered. > > This is incorrect. Intel provides datasheets for Ethernet parts. > em(4) is derived from Intel authored code for FreeBSD supplied under a > permissive license. > >> >> And if I remember correctly some offload features were also disabled in the emX driver a while back as some functions where found to be insecure on die and so it was deemed safer to bring the logic back on CPU. >> >> So I???m looking for the best 1Gbe NIC that supports the most offloading/best driver support/performance etc. >> >> Thanks, Andy. >> >> PS; could we update the official supported hardware lists? ;) >> All the best. >> >> >> Sent from a teeny tiny keyboard, so please excuse typos >>