I am in the process of moving my Suricata setup from IDS to IPS and the preferred mechanism to facilitate that in OpenBSD involves the use of divert.
My current use case is a simple honeypot on a DMZ interface that has traffic forwarded to it via the typical rdr method (syntax pulled from the OpenBSD FAQ examples):
pass in on egress inet proto tcp from any to (egress) port { 443 } rdr-to 192.168.2.2
To send packets to Suricata for inline processing I am using divert as recommended by the Suricata package (syntax pulled from the Suricata package docs):
pass in quick on egress inet proto tcp to port 443 divert-packet port 700
My core issue seems to be that I can get rdr or divert working in this context, but not both (which creates a situation where Suricata never actually sees these packets). It does not seem to be an issue with rule order as I have tried moving the rules around just to be certain (and removing the quick statement and playing with the order).
When looking at divert-packet with pfctl I see Evaluations incrementing, but Packets remain at 0 (despite considerable traffic bound for the honeypot and my own traffic sent manually).
Setting the divert rule to log and monitoring with tcpdump shows plenty of matching traffic.
No comments:
Post a Comment