Snort mailing list archives
Re: A question now that I have nfq working
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 10 Apr 2014 08:35:01 -0600
On 2014-04-08 18:19, James Lay wrote:
On Tue, 2014-04-08 at 16:49 -0600, James Lay wrote:So...it appears that that snort using nfq pass the packet along, if it's not dropped by the IDS, regardless of other rules. Example: Let's say I have a rule: drop tcp any any -> any 80 (msg:"Test 80"; sid:10000053;) I send all my traffic to my INPUT with: sudo /sbin/iptables -I INPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1 But I also have a block rule say to 445: pkts bytes target prot opt in out source destination 699 57925 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 So even though I have this drop rule above to 445, I see: telnet 192.168.1.6 445 Trying 192.168.1.6... Connected to 192.168.1.6. Escape character is '^]'. I've found that after passing through the nfqueue as not dropping, it appears the packet is sent along, but not to the next iptables rule. Can someone confirm this behavior? Thank you. JamesThis is an interesting situation. Here's a sample...I have a firewall that looks like: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 10751 640K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 So this is a whitelist approach....allow just want I want, and block the rest, with the bottom rule the catch all. My issue is that any rules AFTER the queue rule are disregarded. So if I do like so: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 39 2940 NFQUEUE all -- * * 0.0.0.0/0 0.0.0.0/0 NFQUEUE num 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 10751 640K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Then any packets that snort doesn't drop, never reach the next rule. Is there a way to change this behavior? Thanks. James
Any takers on this? Is there anyone on this list that runs snort+nfq+iptables firewall on the same box? James ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- A question now that I have nfq working James Lay (Apr 08)
- Re: A question now that I have nfq working James Lay (Apr 08)
- Re: A question now that I have nfq working James Lay (Apr 10)
- Re: A question now that I have nfq working James Lay (Apr 15)
- Re: A question now that I have nfq working Graham Murray (Apr 15)
- Re: A question now that I have nfq working James Lay (Apr 10)
- Re: A question now that I have nfq working James Lay (Apr 08)