Snort(TM)


On *BSD Snort normally uses bpf via libpcap in passive or "Intrusion Detection/IDS" mode
  snort --daq pcap --daq-mode passive -i em0

Snort inline introduced an active mode or "Intrusion Prevention/IPS" mode
"ipfw" support is compatible with divert-packet
  snort --daq ipfw --daq-var port=9000

The neat thing is that you can selectively attach Snort to PF rules for "deep inspection/DPI"
  pass out on em0 divert-packet 9000
  pass out on em1 inet proto tcp to port http \ 
    divert-packet 9000