I am in the process of moving my Suricata setup from IDS to IPS and the
preferred mechanism to facilitate that in OpenBSD involves the use of
divert.
My current use case is a simple honeypot on a DMZ interface that has
traffic forwarded to it via the typical rdr method (syntax pulled from the
OpenBSD FAQ examples):
pass in on egress inet proto tcp from any to (egress) port { 443 } rdr-to
192.168.2.2
To send packets to Suricata for inline processing I am using divert as
recommended by the Suricata package (syntax pulled from the Suricata
package docs):
pass in quick on egress inet proto tcp to port 443 divert-packet port 700
My core issue seems to be that I can get rdr or divert working in this
context, but not both (which creates a situation where Suricata
never actually sees these packets). It does not seem to be an issue with
rule order as I have tried moving the rules around just to be certain (and
removing the quick statement and playing with the order).
When looking at divert-packet with pfctl I see Evaluations
incrementing, but Packets remain at 0 (despite considerable traffic
bound for the honeypot and my own traffic sent manually).
Setting the divert rule to log and monitoring with tcpdump shows
plenty of matching traffic.
