Re: Testing IPTABLES (Snort Inline Mode, NFQUEUE, Local Rules) No alerts!

[turki <turki_00 () yahoo com>]

Any help please

--- On Fri, 5/20/11, turki <turki_00 () yahoo com> wrote:

From: turki <turki_00 () yahoo com>
Subject: [Snort-users] Testing IPTABLES (Snort Inline Mode, NFQUEUE, Local Rules) No alerts!
To: snort-users () lists sourceforge net
Received: Friday, May 20, 2011, 12:54 PM

Snort: 2.9.0.5 (inline mode with single interface eth0 using NFQ)
DAQ: 0.5
Barnyard2

Problem: Snort/Barnyard2 is not reporting any alerts to the following local rule (simple http traffic)

local.rules:

alert tcp any any <> any any (content:"www.yahoo.com"; msg:"NO YAHOO 4U"; sid:1000006;rev:1;)

--------------------------------
Iptables configuration:

> iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
NFQUEUE    icmp --  anywhere             anywhere            NFQUEUE num 0
NFQUEUE    tcp  -- 
 anywhere             anywhere            tcp dpt:www NFQUEUE
 num 0
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
NFQUEUE    tcp  --  anywhere             anywhere            tcp spt:www NFQUEUE
 num
 0

------------------------------------------------------------------------------------

Command to Run Snort:

> snort --daq nfq -Q -c snort.conf --daq-dir /usr/local/lib/daq --daq-var device=eth0

---------------------------------------------------------------------------------
I am running the following command to trigger the rule:

wget yahoo.com

--------------------------------------------------------------------------
Snort in PCAP mode is reporting alerts with the same rules, but the problem that in inline it is not.

Can you help me, please


-----Inline Attachment Follows-----

------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay
-----Inline Attachment Follows-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users