Suricata - Divert (IPS)

[xpendable]

So I just upgraded to 26.1 and migrated the firewall rules over as well (don't have many) and everything went over smoothly with no issues.

However I was wondering about the new Divert (IPS) capture mode as the documents state that a firewall rule is needed in the new rules section. If you select this capture mode, will a new firewall rule by auto generated for it?

Also as a side question, if you diverted all WAN traffic for inspection anyway... would there be any benefit from Netmap (IPS) mode?

EDIT:
Well I just went ahead and enabled it, and basically answered my own questions :)

No rule is created automatically, so after setting suricata to Divert (IPS) mode with 8 listeners (8 CPUs) I created a new rule on the WAN interface just below the Q-Feeds rule to pass all incoming traffic to Intrusion Protection. Works as expected, and I suppose it's probably more efficient since it's using PF and coming after the Q-Feeds rule. No sense in inspecting blocked traffic.

However I noticed that after doing so the "Interface" in the Intrusion Protection Alerts page is blank, makes sense... but is there a way in the future to pull this information from the firewall rule?

[Monviech (Cedrik)]

Hello, please open an issue on github asking about the interface in suricata when divert is used. Its easier to track, thank you.

https://github.com/opnsense/core/issues

[xpendable]

Issue has been created as requested.

Another upside to using Divert (IPS) mode, the memory consumption has been cut in half since Netmap is no longer being used :)

[Monviech (Cedrik)]

What might also be a benefit is compatibility and stability with VM network interfaces as you dont have to use the emulated netmap driver anymore (the high performance native netmap driver requires intel network cards to work correctly most of the time).