Snort mailing list archives

Previous By Date Next
Previous By Thread Next

A question now that I have nfq working

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 08 Apr 2014 16:49:00 -0600
So...it appears that that snort using nfq pass the packet along, if 
it's not dropped by the IDS, regardless of other rules.  Example:

Let's say I have a rule:

drop tcp any any -> any 80 (msg:"Test 80"; sid:10000053;)

I send all my traffic to my INPUT with:

sudo /sbin/iptables -I INPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1

But I also have a block rule say to 445:
pkts bytes target     prot opt in     out     source               
destination
   699 57925 NFQUEUE    all  --  *      *       0.0.0.0/0            
0.0.0.0/0            NFQUEUE num 1
     0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0            tcp dpt:445

So even though I have this drop rule above to 445, I see:

telnet 192.168.1.6 445
Trying 192.168.1.6...
Connected to 192.168.1.6.
Escape character is '^]'.

I've found that after passing through the nfqueue as not dropping, it 
appears the packet is sent along, but not to the next iptables rule.  
Can someone confirm this behavior?  Thank you.

James

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: