On 2015/03/07 10:43, Denis Lapshin wrote: > Hi > > Built Suricata from sources with "ipfw divert-sockets" support on > OpenBSD 5.4. After that I did some efforts to make suricata working > with "divert-packet" directive for divert sockets PF.conf. > I've added the rule below into pf.conf as man dirvert(4) recommend (I > tried this PF rule on 80 port and on all ports as listed below): > > pass out on $ext_if inet proto tcp divert-packet port 8000 > > afterwards I ran Suricata to listen with "-d 8000" directive.
First thing to check is probably that the packets really are matching on this rule. Add "log" to the rule and monitor pflog (something like "tcpdump -neipflog0 -vvs500"). Or add "match log(matches) to $ip port $port" to the top of the ruleset and it will show a line of tcpdump output for every ruleset line that matches the packet. You can also use the simple code from the divert(4) manual, it is a working example and prints the packet addresses, so it's easy to test. Basically: break the job into different steps, so you can test each one individually. If packets aren't hitting the rule with "divert-packet" at all, look at your PF rules. If they are matching the right rule and the simple test works, you know to look in the direction of Suricata. > Waiting for some foreground output from suricata was redirected from PF > divert, but it seems to be nothing provided from DPI engine because of > difference in divert algorithms from PF and IPFW which has been > supported by suricata. > > I don't know what the difference with PF and IPFW divert rules in > nature. Does IPFW divert-sockets completely different than PF > divert-packet realization? The mechanism is different but is explicitly intended to be compatible with IPFW divert-sockets..
