[Snort-users] Snort with NFQUEUE allows everything (even unopened ports)

Amm Snort ammdispose-snort at ...131...
Sat Mar 31 09:28:38 EDT 2012


> From: Jaime Nebrera <jnebrera at ...11827...>
>To: Amm Snort <ammdispose-snort at ...131...>
>
>You are not missing anything and netfilter is working as expected
>
>Your rule states put all traffic into the queue. Unless further on the traffic is dropped it will go on.
>
>If you want to do this for a particular port you have to state so explicit


Ok I found the issue here.

When a QUEUE program (snort in this case) declares verdict as ACCEPT,
iptables stops processing further rules and allows the packet.

Unfortunately this is not what I was thinking, I was under impression that NFQUEUE
kind of behaves like LOG target i.e. does the processing/logging and moves to next rule.

So due to this limitation, snort with NFQUEUE becomes usless for me. Because then
I have to put NFQUEUE target after all rule processing, which means, it will NOT get all
the traffic and would not detect for example, port scanning attempts.

My idea was to make snort act as IDS and IPS, i.e. alert for things like port scanning
and DROP for things like SQL injection.

Anyway thanks all for replies.

AMM





More information about the Snort-users mailing list