Suricata - Divert (IPS)

[QuisaZaderak]

I understand I should configure at least the two allow rules to divert traffic to suricata but what happens with the block rule? I do nothing?

If it is already blocked by the FW rule, it does not need to be diverted further.

[Ametite]

Hi, regarding the Suricata crash issue with IPS Divert mode (https://github.com/opnsense/core/issues/9712), is anyone else affected by the same problem?

[phanos]

I understand I should configure at least the two allow rules to divert traffic to suricata but what happens with the block rule? I do nothing?

If it is already blocked by the FW rule, it does not need to be diverted further.

Right but what about port forwarding? How you handle these? They do not seem to have direct to...

[szix96]

Hello,

sorry having a hard time understanding this DIVERT parameter.
So if i set FW rules to allow ports 443/80/5520 and then i create an additional FW rule with the same SRC/DST IP's then the 1ST rule would allow only the traffic on the ports defined and the second would send the traffic to the IPS?
or how is it possible to filter with DIVERT IPS?

as in the pic if i allow the 2 DIVERT rules?

Thank you all for the awesome work on this.

[Ametite]

Hello,

sorry having a hard time understanding this DIVERT parameter.
So if i set FW rules to allow ports 443/80/5520 and then i create an additional FW rule with the same SRC/DST IP's then the 1ST rule would allow only the traffic on the ports defined and the second would send the traffic to the IPS?
or how is it possible to filter with DIVERT IPS?

as in the pic if i allow the 2 DIVERT rules?

Thank you all for the awesome work on this.

I think you confused protocol divert with Advanced Options -> divert to. Or I miss something..

[szix96]

Hello,

sorry having a hard time understanding this DIVERT parameter.
So if i set FW rules to allow ports 443/80/5520 and then i create an additional FW rule with the same SRC/DST IP's then the 1ST rule would allow only the traffic on the ports defined and the second would send the traffic to the IPS?
or how is it possible to filter with DIVERT IPS?

as in the pic if i allow the 2 DIVERT rules?

Thank you all for the awesome work on this.

I think you confused protocol divert with Advanced Options -> divert to. Or I miss something..

Thank you, but i do not find it in the advanced settings in the FW rule just the protocol as divert.
edit: Found it in the new FW rules, so it is only available in the new rules, or is it also available in the legacy FW rules?


"To use the "Divert (IPS)" mode, you must use Firewall ‣ Rules [new] and create firewall rules that contain the "Divert-to" setting. Check the Rules manual for more information.
"
https://docs.opnsense.org/manual/ips.html
https://docs.opnsense.org/manual/firewall.html#divert-to

[csszep]

Hi!

I am not familiar with the details of the divert-to functionality in FreeBSD when it is implemented with pf, but when using ipfw there is an option to use reinject mode, where, if Suricata does not drop the packet, it reinjects it back into the network stack at the specified ipfw rule:

https://docs.suricata.io/en/latest/configuration/suricata-yaml.html#ipfw

Is there any plan to implement this somehow?
This would allow much finer-grained control, and the final decision would be made by the packet filter rather than by Suricata.

I am also not aware of whether a fail-open (bypass) mechanism exists for divert-to, similar to Linux NFQUEUE (queue-bypass), which switches to pass instead of drop if Suricata is not listening or crash...

[franco]

Nope, I am quite sure these things are currently not implemented in FreeBSD at the moment. We're looking into improving support as divert becomes more popular on our end.


Cheers,
Franco