Hi Google is your best friend to obtain info about every thing. anyway .i will give some info about how to use divert. pf is a part of kernel and the kernel has it's own memory space which cannot be acessed by users applications. suricata and snort are user level applications. for doing inspection they need data , thus you need a tool to copy data from kernel memory space to user memory space. this tool is divert. using divert has some limitations. for example:
1-copying data takes a lot of time. 2-you can pass or drop the packet. altering the packets will cause tcp desyncronization 3- for saving resources you might want to do NAT after the packets were inspected. this is not possible because the pf will ignore reinjected packet from divert for preventing loops(be diverted again). there is a guide on suricata redmine for how to use divert in freebsd and ipfw,it also works on openBSD and pf. you canuse some thing like this in you pf.conf pass in quick from any to any port 80 divert-packet 8080 keep state for more info Google is your friend regards Sadegh On Wednesday, March 4, 2015, Denis Lapshin <den...@mindall.org> wrote: > Just have read about Snort and Suricata engines. The second one looks > more productive in DPI task because of utilizing multi-thread algorithms. > > Coult you explain a bit more about "divert" with Suricata to make an > inline DPI engine. > > Thanks > > On 04.03.2015 20:06, sadegh solati wrote: > > hi, > you can use divert with snort or suricata. > you can make an inline IPS using them. > > On Wednesday, March 4, 2015, Denis Lapshin <den...@mindall.org > <javascript:_e(%7B%7D,'cvml','den...@mindall.org');>> wrote: > >> Hi there! >> >> Interesting in how to make Deep Packet analyzing engine for my OpenBSD >> box. I'm currently using PF to perform IP headers manipulation. But >> sometimes I need analyze packets data while packet traversal. >> >> Please give some recommendations. >> >> Thanks. >> >> -- >> Denis >> > > -- > Denis > >