Suricata - Divert (IPS)

Started by xpendable, January 30, 2026, 01:40:00 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 30, 2026, 01:40:00 AM Last Edit: January 30, 2026, 03:39:14 AM by xpendable
So I just upgraded to 26.1 and migrated the firewall rules over as well (don't have many) and everything went over smoothly with no issues.

However I was wondering about the new Divert (IPS) capture mode as the documents state that a firewall rule is needed in the new rules section. If you select this capture mode, will a new firewall rule by auto generated for it?

Also as a side question, if you diverted all WAN traffic for inspection anyway... would there be any benefit from Netmap (IPS) mode?

EDIT:
Well I just went ahead and enabled it, and basically answered my own questions :)

No rule is created automatically, so after setting suricata to Divert (IPS) mode with 8 listeners (8 CPUs) I created a new rule on the WAN interface just below the Q-Feeds rule to pass all incoming traffic to Intrusion Protection. Works as expected, and I suppose it's probably more efficient since it's using PF and coming after the Q-Feeds rule. No sense in inspecting blocked traffic.

However I noticed that after doing so the "Interface" in the Intrusion Protection Alerts page is blank, makes sense... but is there a way in the future to pull this information from the firewall rule?
January 30, 2026, 07:07:32 AM #1
Hello, please open an issue on github asking about the interface in suricata when divert is used. Its easier to track, thank you.

https://github.com/opnsense/core/issues
Hardware:
DEC740
January 30, 2026, 05:09:29 PM #2
Issue has been created as requested.

Another upside to using Divert (IPS) mode, the memory consumption has been cut in half since Netmap is no longer being used :)
January 30, 2026, 05:14:36 PM #3
What might also be a benefit is compatibility and stability with VM network interfaces as you dont have to use the emulated netmap driver anymore (the high performance native netmap driver requires intel network cards to work correctly most of the time).
Hardware:
DEC740
Today at 12:22:19 AM #4
That's true, my OPNsense runs as a VM on XCP-ng, however I use SR-IOV with Intel X710 NICs. So never had an issue with using Netmap, but using the Divert method is way more efficient on memory usage. I have 16GB of memory allocated and before the memory would typically sit at 40-50% usage. I just checked and it's now down to about 10%. Will probably reduce the memory allocation in the near future as the system obviously doesn't need it anymore.
Today at 09:21:22 AM #5
Thanks for taking the lead. I just followed you and set intrusion detection from netmap to the new divert rule.
So far so good.
Curious about your choice to have it on incoming WAN instead of LAN?
Deciso DEC850v2
Today at 02:53:08 PM #6
What does the new divert rule look like?
Today at 03:07:52 PM #7
https://docs.opnsense.org/manual/firewall.html#divert-to

The divert to can be added to any firewall rule that already exists, also multiple ones, to redirect the traffic to suricata after it matched in the firewall.
Hardware:
DEC740
Today at 03:19:06 PM #8
so, I guess I divert from the wan? What I am looking for is an example rule to start with.
Today at 04:35:16 PM #9
Should it be the default lan pass rule?
Today at 05:01:28 PM #10 Last Edit: Today at 05:05:56 PM by xpendable
For me my rule is simple, a new rule in Rules [New] on the WAN interface coming in to pass all traffic and Divert-to set to Intrusion Detection. This basically replicates my previous setup by capturing all packets for inspection, I don't want it to be more granular, maybe in an enterprise environment but not my homelab. The order is up to you, place the rule accordingly based on your other rules for the WAN interface.

NOTE: Divert-to is hidden and is only available in the "Advanced Mode", so be sure to enable that in the top left corner of the new rule dialog.

I use the WAN interface and add my ISP routers IP address to Home Networks in the suricata config, as far as I am aware this is the best method when using an IPS. As when on the LAN interface you may get more false positives and a lack of detection's since that interface is on your internal network. Intrusion attempts come from the external network in most cases, especially for homelab environments.

https://docs.opnsense.org/manual/ips.html#general-setup
https://docs.opnsense.org/manual/ips.html#advanced-options
Today at 05:29:25 PM #11
Thanks!
Today at 06:26:32 PM #12
Quote from: xpendable on Today at 05:01:28 PMFor me my rule is simple, a new rule in Rules [New] on the WAN interface coming in to pass all traffic and Divert-to set to Intrusion Detection.

Will you need to set the rule direction to both? To capture outgoing traffic like malware calling home?

Quote from: xpendable on Today at 05:01:28 PMAs when on the LAN interface you may get more false positives and a lack of detection's since that interface is on your internal network. Intrusion attempts come from the external network in most cases, especially for homelab environments.

And wouldn't you still detect external attacks if you only monitored within the LAN? At least all the traffic leaving the OPNsense router towards the LAN (traffic that gets through the firewall), which is presumably the majority of the data traffic?
Today at 06:39:26 PM #13
I have a (maybe dumb) question:

When using "divert-to" the matched packet is sent to Suricata to be inspected. After that, Suricata is responsible for the evaluation of the packet and not pf anymore.

Who is in charged of rejecting, blocking or passing the packet?

I can imagine that Suricata responds to pf with a verdict and is pf who blocks or pass the packet.
Today at 07:24:15 PM #14
Quote from: xpendable on Today at 05:01:28 PMFor me my rule is simple, a new rule in Rules [New] on the WAN interface coming in to pass all traffic and Divert-to set to Intrusion Detection. This basically replicates my previous setup by capturing all packets for inspection, I don't want it to be more granular, maybe in an enterprise environment but not my homelab. The order is up to you, place the rule accordingly based on your other rules for the WAN interface.

NOTE: Divert-to is hidden and is only available in the "Advanced Mode", so be sure to enable that in the top left corner of the new rule dialog.

I use the WAN interface and add my ISP routers IP address to Home Networks in the suricata config, as far as I am aware this is the best method when using an IPS. As when on the LAN interface you may get more false positives and a lack of detection's since that interface is on your internal network. Intrusion attempts come from the external network in most cases, especially for homelab environments.

https://docs.opnsense.org/manual/ips.html#general-setup
https://docs.opnsense.org/manual/ips.html#advanced-options

Be careful: a broad WAN "pass any + divert-to" rule will effectively allow all inbound traffic on WAN. That can expose services running on OPNsense itself (e.g. SSH, DNS, GUI) to the internet.

It likely makes more sense to apply divert-to only on the specific WAN allow rules / opened ports you actually intend to expose.

Print
Go Up Pages1
User actions