Seeking Guidance on Deep Packet Inspection Research

[hsing]

Hello Forum community,

I have a question regarding Deep Packet Inspection (DPI) that I hope to discuss here. I came across a discussion about nDPI in the forum (https://forum.opnsense.org/index.php?topic=15820.0) and was wondering if there are any plans to continue research in this area? I am quite interested in this field but currently lack sufficient resources and would appreciate any guidance from experts familiar with this topic.

I'm unsure if this is the right section to post this message since the IDS/IPS documentation mentions DPI (https://docs.opnsense.org/manual/ips.html) but doesn't seem to delve deeply into the subject. I have also searched for relevant information in FreeBSD and Suricata documentation without success. However, I found some DPI-related material in the AsiaBSDCon conference presentations (https://www.netbsd.org/gallery/presentations/ast/2012_AsiaBSDCon/Tutorial_NETGRAPH.pdf) (page 35), which I suspect may be related to the packages used by Suricata. Therefore, I am curious if others are also exploring this area and could share some insights.

I hope to find some assistance here. Thank you!

[Greg_E]

You may also want to look at the Zenarmor product and some of the guides that they publish.

[hsing]

Thank you very much for your response. Based on your suggestion, I found a document on Zenarmor explaining DPI and another manual on Zenarmor in the OPNsense Plugin.
https://www.zenarmor.com/docs/network-security-tutorials/what-is-deep-packet-inspection-dpi
https://www.zenarmor.com/docs/opnsense

I have an additional question: Is OPNsense currently using only Zenarmor for DPI-related functions? I had previously come across the nProbe plugin but it seems it's no longer in use. Are there any plans for developing nDPI and Netifyd, or have these been discontinued? Any information you could provide would be very helpful, thank you.

[Monviech (Cedrik)]

Thanks for your E-Mail but I don't know that much about DPI.

Whats important to understand is, that OPNsense itself uses a collection of FreeBSD Ports. So most of the things that are here are built and included in the Firewall: https://github.com/opnsense/ports

Another factor would be, if a DPI engine can actually terminate TLS traffic and then encrypt it again after inspecting it.
- Suricata can't without extra tools
- Squid can
- Zenarmor probably can too but I don't know.

[hsing]

Understood, and thank you very much for your response. Additionally, I would like to know where I can continue discussions on DPI or further discussions on the "Packet Flow Diagram" that I emailed you about. I am considering whether it's possible to discern the entire packet routing of OPNsense, including what processes the packet inflow and outflow, etc. Should I be looking into this within FreeBSD or within OPNsense? Thank you.

[Monviech (Cedrik)]

"vanilla" OPNsense without extensions like Zenarmor uses pf for most packet forwarding.
https://man.freebsd.org/cgi/man.cgi?pf

The only shared forwarding is with the captive portal and dummynet which uses ipfw
https://man.freebsd.org/cgi/man.cgi?dummynet
https://man.freebsd.org/cgi/man.cgi?ipfw(8)

So everything that happens here is FreeBSD based paket flow.

[hsing]

Thank you for the information provided. I will further refer to it and continue to search and learn. Thank you.