Re: Snort with NFQUEUE allows everything (even unopened ports)

[Amm Snort <ammdispose-snort () yahoo com>]

> From: Jaime Nebrera <jnebrera () gmail com>
> To: Amm Snort <ammdispose-snort () yahoo com>
>
> You are not missing anything and netfilter is working as expected
>
> Your rule states put all traffic into the queue. Unless further on the traffic is dropped it will go on.
>
> If you want to do this for a particular port you have to state so explicit


Ok I found the issue here.

When a QUEUE program (snort in this case) declares verdict as ACCEPT,
iptables stops processing further rules and allows the packet.

Unfortunately this is not what I was thinking, I was under impression that NFQUEUE
kind of behaves like LOG target i.e. does the processing/logging and moves to next rule.

So due to this limitation, snort with NFQUEUE becomes usless for me. Because then
I have to put NFQUEUE target after all rule processing, which means, it will NOT get all
the traffic and would not detect for example, port scanning attempts.

My idea was to make snort act as IDS and IPS, i.e. alert for things like port scanning
and DROP for things like SQL injection.

Anyway thanks all for replies.

AMM


------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!