Snort mailing list archives
Re: tcp rules not working
From: "Michael J. Sheldon" <msheldon () godaddy com>
Date: Thu, 16 Feb 2017 17:12:57 +0000
So apparently, it was the iptables entry that was the problem I had been using (from an example I had found): iptables -t nat -A PREROUTING -j NFQUEUE --queue-num 2 This works fine for UDP and the initial tcp SYN, but apparently tcp packets *after* the SYN don't traverse the iptables nat rules Switched to iptables -I INPUT -j NFQUEUE --queue-num 2 Now it's working exactly as expected. Michael Sheldon Dev-DNS Services GoDaddy.com ________________________________________ From: James Lay <jlay () slave-tothe-box net> Sent: Wednesday, February 15, 2017 20:01 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] tcp rules not working Your TCP flow will have a state. Try flow:established. James On Wed, 2017-02-15 at 22:23 +0000, Michael J. Sheldon wrote: I'm testing snort for use filtering DNS traffic. I have it set up using nfq inline This rule works exactly as expected (drops requests for www.example.com<http://www.example.com>): drop udp any any -> $HOME_NET $DNS_PORTS (msg:"TEST example.com"; flow:stateless; content:"|03|www|07|example|03|com|00|"; nocase; offset:12; sid:3100001; rev:1;) This rule also works (alerts for all tcp inbound): alert tcp any any -> $HOME_NET $DNS_PORTS (msg:"TEST all tcp"; sid:3100003; rev:1;) This rule does NOT work: drop tcp any any -> $HOME_NET $DNS_PORTS (msg:"TEST example.com"; flow:stateless; content:"|07|example|03|com|00|"; nocase; offset:12; sid:3100002; rev:1;) After a LOT of playing with the rules, no matter what, if the protocol is TCP, and there is a "content" parameter at all, the rule will not match. tried variations on flow (stateless, to_server, to_client, etc) I've got to be missing something incredibly simple, but at this point, no idea what it is. Michael Sheldon Dev-DNS Services GoDaddy.com ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- tcp rules not working Michael J. Sheldon (Feb 15)
- Re: tcp rules not working James Lay (Feb 15)
- Re: tcp rules not working Michael J. Sheldon (Feb 16)
- Re: tcp rules not working James Lay (Feb 16)
- Re: tcp rules not working Michael J. Sheldon (Feb 16)
- Re: tcp rules not working James Lay (Feb 15)