Snort mailing list archives
Re: Snort with NFQUEUE allows everything (even unopened ports)
From: Amm Snort <ammdispose-snort () yahoo com>
Date: Sat, 31 Mar 2012 21:28:38 +0800 (SGT)
From: Jaime Nebrera <jnebrera () gmail com> To: Amm Snort <ammdispose-snort () yahoo com> You are not missing anything and netfilter is working as expected Your rule states put all traffic into the queue. Unless further on the traffic is dropped it will go on. If you want to do this for a particular port you have to state so explicit
Ok I found the issue here. When a QUEUE program (snort in this case) declares verdict as ACCEPT, iptables stops processing further rules and allows the packet. Unfortunately this is not what I was thinking, I was under impression that NFQUEUE kind of behaves like LOG target i.e. does the processing/logging and moves to next rule. So due to this limitation, snort with NFQUEUE becomes usless for me. Because then I have to put NFQUEUE target after all rule processing, which means, it will NOT get all the traffic and would not detect for example, port scanning attempts. My idea was to make snort act as IDS and IPS, i.e. alert for things like port scanning and DROP for things like SQL injection. Anyway thanks all for replies. AMM ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 30)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Russ Combs (Mar 30)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 30)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 31)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Jaime Nebrera (Mar 31)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 31)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Jaime Nebrera (Mar 31)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Amm Snort (Mar 30)
- Re: Snort with NFQUEUE allows everything (even unopened ports) Russ Combs (Mar 30)