Hi
Google is your best friend to obtain info about every thing.
anyway .i will give some info about how to use divert.
pf is a part of kernel and the kernel has it's own memory space which
cannot be acessed by users applications.
suricata and snort are user level applications. for doing inspection they
need data , thus you need a tool to copy data from kernel memory space to
user memory space. this tool is divert.
using divert has some limitations.
for example:

1-copying data takes a lot of time.
2-you can pass or drop the packet. altering the packets will cause tcp
desyncronization
3- for saving resources you might want to do NAT after the packets were
inspected. this is not possible because the pf will ignore reinjected
packet from divert for preventing loops(be diverted again).

there is a guide on suricata redmine for how to use divert in freebsd and
ipfw,it also works on openBSD and pf. you canuse some thing like this in
you pf.conf

pass in quick from any to any port 80 divert-packet 8080 keep state

for more info Google is your friend

regards
Sadegh


On Wednesday, March 4, 2015, Denis Lapshin <den...@mindall.org> wrote:

>  Just have read about Snort and Suricata engines. The second one looks
> more productive in DPI task because of utilizing multi-thread algorithms.
>
> Coult you explain a bit more about "divert" with Suricata to make an
> inline DPI engine.
>
> Thanks
>
> On 04.03.2015 20:06, sadegh solati wrote:
>
> hi,
> you can use divert with snort or suricata.
> you can make an inline IPS using them.
>
> On Wednesday, March 4, 2015, Denis Lapshin <den...@mindall.org
> <javascript:_e(%7B%7D,'cvml','den...@mindall.org');>> wrote:
>
>> Hi there!
>>
>> Interesting in how to make Deep Packet analyzing engine for my OpenBSD
>> box. I'm currently using PF to perform IP headers manipulation. But
>> sometimes I need analyze packets data while packet traversal.
>>
>> Please give some recommendations.
>>
>> Thanks.
>>
>> --
>> Denis
>>
>
> --
> Denis
>
>

Reply via email to