[Snort-users] Snort with NFQUEUE allows everything (even unopened ports)
jnebrera at ...11827...
Sat Mar 31 09:55:34 EDT 2012
Iptables won't detect the same as Snort but for sure a port scan will
You should consider stopping all L3/4 with netfilter and L7 stuff with Snort.
Much faster than the other way around
Enviado desde mi iPhone
El 31/03/2012, a las 15:28, Amm Snort <ammdispose-snort at ...131...> escribió:
>> From: Jaime Nebrera <jnebrera at ...11827...>
>> To: Amm Snort <ammdispose-snort at ...131...>
>> You are not missing anything and netfilter is working as expected
>> Your rule states put all traffic into the queue. Unless further on the traffic is dropped it will go on.
>> If you want to do this for a particular port you have to state so explicit
> Ok I found the issue here.
> When a QUEUE program (snort in this case) declares verdict as ACCEPT,
> iptables stops processing further rules and allows the packet.
> Unfortunately this is not what I was thinking, I was under impression that NFQUEUE
> kind of behaves like LOG target i.e. does the processing/logging and moves to next rule.
> So due to this limitation, snort with NFQUEUE becomes usless for me. Because then
> I have to put NFQUEUE target after all rule processing, which means, it will NOT get all
> the traffic and would not detect for example, port scanning attempts.
> My idea was to make snort act as IDS and IPS, i.e. alert for things like port scanning
> and DROP for things like SQL injection.
> Anyway thanks all for replies.
More information about the Snort-users