[Snort-openappid] Unable to use snort-2.9.7.0_beta appid matchers with nfq DAQ module while accepting established, related packages

ozgurpub pulic ozgurpub at ...8...
Wed Aug 13 06:46:20 EDT 2014


Hi,

I am able to run and use snort with open appid matchers with pcap and
afpacket DAQ modules. appstats-unified.log file is generated properly and I
can get alerts using appid directive in snort rules, everything works great.

However, when I deploy snort with nfq module as a part of statefull
firewall, matchers do not match the application traffic. I am using same
with above working configuration apart from daq module change. If I disable
statefull accept rule above the nfq rule in iptables it works without
issue.

As far as I understand, openappid matchers requires more traffic to pass
before matching the application of a connection because usual snort rules
do not have this issue. Since connection traffic is accepted before
deciding the application further traffic is not redirected to snort via
nfq, effectively it does not matches any application.

Is there anybody facing the same problem? Is there a settings to tune in
appid or daq configuration? I have a workaround in my mind by using marks
in netfilter but it will be ugly and still won't have any statefullness for
connections accepted by nfq rules.

Thanks!
Ozgur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-openappid/attachments/20140813/50b44e59/attachment.html>


More information about the Snort-openappid mailing list