[Snort-users] Snort Inline incompatible libipq???

spiderslack spiderslack at ...6873...
Tue Sep 21 15:15:57 EDT 2010


On 09/21/2010 12:16 PM, Tomas Heredia wrote:
>   Also, all traffic for the txp session should go thru Snort...
> Try adding
>
> iptables -I FORWARD -p tcp --sport 3389 -j QUEUE
>
>
>    
Hi Tomas,

I add rule as you specified.

iptables -I FORWARD -p tcp --sport 3389 -j QUEUE


but, not work :(

see via tcpdump logs

root at ...14985...:~# tcpdump -i br0 -n port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
15:02:52.121229 IP 100.100.100.100.2844 > 200.200.200.200.3389: Flags 
[S], seq 3126417596, win 65535, options [mss 1452,nop,nop,sackOK], length 0
15:02:55.102729 IP 100.100.100.100.2844 > 200.200.200.200.3389: Flags 
[S], seq 3126417596, win 65535, options [mss 1452,nop,nop,sackOK], length 0
15:03:01.129871 IP 100.100.100.100.2844 > 200.200.200.200.3389: Flags 
[S], seq 3126417596, win 65535, options [mss 1452,nop,nop,sackOK], length 0
15:04:15.775264 IP 100.100.100.100.2850 > 200.200.200.200.3389: Flags 
[S], seq 2075772945, win 65535, options [mss 1452,nop,nop,sackOK], length 0
15:04:18.711696 IP 100.100.100.100.2850 > 200.200.200.200.3389: Flags 
[S], seq 2075772945, win 65535, options [mss 1452,nop,nop,sackOK], length 0
15:04:24.722153 IP 100.100.100.100.2850 > 200.200.200.200.3389: Flags 
[S], seq 2075772945, win 65535, options [mss 1452,nop,nop,sackOK], length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
root at ...14985...:~#


The rule show

root at ...14985...:~# iptables -t filter -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp spt:3389
QUEUE      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:3389

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root at ...14985...:~#

root at ...14985...:~# ps ax | grep -i snort
23199 ?        Ss     0:43 /usr/sbin/snort -m 027 -D -Q -l 
/var/log/snort -u snort -g snort -c /etc/snort/snort.conf
root at ...14985...:~#

I do not know what else to do, I tried to compile the code in C to give 
a NF_ACCEPT in packets that are queued, but not compile, according to my 
research due to the 2.6 kernel does not use more libipq 
libnetfilter_queue and yes, I am researching how to debug or least see 
if the package is going to the QUEUE and they are getting there. If you 
have any idea who can help me, I thank you.

Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100921/2ec71e42/attachment.html>


More information about the Snort-users mailing list