Suricata - Divert (IPS)

Started by xpendable, January 30, 2026, 01:40:00 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
February 03, 2026, 08:45:42 AM #30
Quote from: phanos on February 02, 2026, 12:22:53 PMI understand I should configure at least the two allow rules to divert traffic to suricata but what happens with the block rule? I do nothing?
If it is already blocked by the FW rule, it does not need to be diverted further.
February 03, 2026, 12:49:51 PM #31
Hi, regarding the Suricata crash issue with IPS Divert mode (https://github.com/opnsense/core/issues/9712), is anyone else affected by the same problem?
February 03, 2026, 01:40:49 PM #32
Quote from: QuisaZaderak on February 03, 2026, 08:45:42 AM
Quote from: phanos on February 02, 2026, 12:22:53 PMI understand I should configure at least the two allow rules to divert traffic to suricata but what happens with the block rule? I do nothing?
If it is already blocked by the FW rule, it does not need to be diverted further.

Right but what about port forwarding? How you handle these? They do not seem to have direct to...
February 03, 2026, 03:07:59 PM #33
Hello,

sorry having a hard time understanding this DIVERT parameter.
So if i set FW rules to allow ports 443/80/5520 and then i create an additional FW rule with the same SRC/DST IP's then the 1ST rule would allow only the traffic on the ports defined and the second would send the traffic to the IPS?
or how is it possible to filter with DIVERT IPS?

as in the pic if i allow the 2 DIVERT rules?

Thank you all for the awesome work on this.
February 03, 2026, 04:11:12 PM #34
Quote from: szix96 on February 03, 2026, 03:07:59 PMHello,

sorry having a hard time understanding this DIVERT parameter.
So if i set FW rules to allow ports 443/80/5520 and then i create an additional FW rule with the same SRC/DST IP's then the 1ST rule would allow only the traffic on the ports defined and the second would send the traffic to the IPS?
or how is it possible to filter with DIVERT IPS?

as in the pic if i allow the 2 DIVERT rules?

Thank you all for the awesome work on this.


I think you confused protocol divert with Advanced Options -> divert to. Or I miss something..
February 03, 2026, 08:56:11 PM #35 Last Edit: February 03, 2026, 09:04:18 PM by szix96
Quote from: Ametite on February 03, 2026, 04:11:12 PM
Quote from: szix96 on February 03, 2026, 03:07:59 PMHello,

sorry having a hard time understanding this DIVERT parameter.
So if i set FW rules to allow ports 443/80/5520 and then i create an additional FW rule with the same SRC/DST IP's then the 1ST rule would allow only the traffic on the ports defined and the second would send the traffic to the IPS?
or how is it possible to filter with DIVERT IPS?

as in the pic if i allow the 2 DIVERT rules?

Thank you all for the awesome work on this.


I think you confused protocol divert with Advanced Options -> divert to. Or I miss something..


Thank you, but i do not find it in the advanced settings in the FW rule just the protocol as divert.
edit: Found it in the new FW rules, so it is only available in the new rules, or is it also available in the legacy FW rules?


"To use the "Divert (IPS)" mode, you must use Firewall ‣ Rules [new] and create firewall rules that contain the "Divert-to" setting. Check the Rules manual for more information.
"
https://docs.opnsense.org/manual/ips.html
https://docs.opnsense.org/manual/firewall.html#divert-to
February 04, 2026, 02:47:54 PM #36
Hi!

I am not familiar with the details of the divert-to functionality in FreeBSD when it is implemented with pf, but when using ipfw there is an option to use reinject mode, where, if Suricata does not drop the packet, it reinjects it back into the network stack at the specified ipfw rule:

https://docs.suricata.io/en/latest/configuration/suricata-yaml.html#ipfw

Is there any plan to implement this somehow?
This would allow much finer-grained control, and the final decision would be made by the packet filter rather than by Suricata.

I am also not aware of whether a fail-open (bypass) mechanism exists for divert-to, similar to Linux NFQUEUE (queue-bypass), which switches to pass instead of drop if Suricata is not listening or crash...

February 04, 2026, 02:59:01 PM #37
Nope, I am quite sure these things are currently not implemented in FreeBSD at the moment. We're looking into improving support as divert becomes more popular on our end.


Cheers,
Franco
March 25, 2026, 08:46:08 PM #38
I an new to opnsense and have set up an transparent firewall bridge between ISP and my unifi router. Does this setup work with a transparent bridge too? I have made the fw rule on wan interface with divert to, but i can't see any IPS dropping in logs.
March 25, 2026, 10:26:09 PM #39
How does your Unifi router connect to your ISP? If it's DHCP - good. If it's PPPoE, OPNsense won't buy you anything, IDS or not. It cannot look into a PPPoE data stream.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 07:53:00 AM #40
Thanks for helping! I have a "static IP ISP provider modem, no PPPoE. Q-Feeds ist working, but i can't see any dropping from suricata in suricta logonly:
2026-03-26T00:00:23Noticesuricata[100882] <Notice> -- rule reload starting
2026-03-25T21:28:34Noticesuricata[100882] <Notice> -- Threads created -> W: 8 FM: 1 FR: 1 Engine started.
2026-03-25T21:28:18Noticesuricata[100882] <Notice> -- Syslog: facility local5, level Info, ident suricata
2026-03-25T21:28:18Noticesuricata[107591] <Notice> -- This is Suricata version 8.0.4 RELEASE running in SYSTEM mode
2026-03-25T21:28:17Noticesuricata[109386] <Notice> -- (W-8000) Verdict: Accepted 0, Dropped 0
2026-03-25T21:28:17Noticesuricata[109386] <Notice> -- (W-8000) Treated: Pkts 723, Bytes 35427, Errors 0
2026-03-25T21:28:17Noticesuricata[109385] <Notice> -- (W-8000) Verdict: Accepted 0, Dropped 0
2026-03-25T21:28:17Noticesuricata[109385] <Notice> -- (W-8000) Treated: Pkts 0, Bytes 0, Errors 0
2026-03-25T21:28:17Noticesuricata[109384] <Notice> -- (W-8000) Verdict: Accepted 0, Dropped 0
2026-03-25T21:28:17Noticesuricata[109384] <Notice> -- (W-8000) Treated: Pkts 0, Bytes 0, Errors 0
2026-03-25T21:28:17Noticesuricata[109383] <Notice> -- (W-8000) Verdict: Accepted 0, Dropped 0
2026-03-25T21:28:17Noticesuricata[109383] <Notice> -- (W-8000) Treated: Pkts 0, Bytes 0, Errors 0
2026-03-25T21:28:17Noticesuricata[109382] <Notice> -- (W-8000) Verdict: Accepted 0, Dropped 0
2026-03-25T21:28:17Noticesuricata[109382] <Notice> -- (W-8000) Treated: Pkts 0, Bytes 0, Errors 0
2026-03-25T21:28:17Noticesuricata[109381] <Notice> -- (W-8000) Verdict: Accepted 0, Dropped 0
2026-03-25T21:28:17Noticesuricata[109381] <Notice> -- (W-8000) Treated: Pkts 723, Bytes 35427, Errors 0
2026-03-25T21:28:17Noticesuricata[109380] <Notice> -- (W-8000) Verdict: Accepted 0, Dropped 0
2026-03-25T21:28:17Noticesuricata[109380] <Notice> -- (W-8000) Treated: Pkts 724, Bytes 35476, Errors 0
2026-03-25T21:28:17Noticesuricata[109379] <Notice> -- (W-8000) Verdict: Accepted 0, Dropped 0
2026-03-25T21:28:17Noticesuricata[109379] <Notice> -- (W-8000) Treated: Pkts 724, Bytes 35476, Errors 0
Print
Go Up Pages 1 2 3
User actions