[Snort-users] Snort with NFQUEUE allows everything (even unopened ports)

Jaime Nebrera jnebrera at ...11827...
Sat Mar 31 09:55:34 EDT 2012


Iptables won't detect the same as Snort but for sure a port scan will

You should consider stopping all L3/4 with netfilter and L7 stuff with Snort.

Much faster than the other way around

Enviado desde mi iPhone

El 31/03/2012, a las 15:28, Amm Snort <ammdispose-snort at ...131...> escribió:

>
>> From: Jaime Nebrera <jnebrera at ...11827...>
>> To: Amm Snort <ammdispose-snort at ...131...>
>>
>> You are not missing anything and netfilter is working as expected
>>
>> Your rule states put all traffic into the queue. Unless further on the traffic is dropped it will go on.
>>
>> If you want to do this for a particular port you have to state so explicit
>
>
> Ok I found the issue here.
>
> When a QUEUE program (snort in this case) declares verdict as ACCEPT,
> iptables stops processing further rules and allows the packet.
>
> Unfortunately this is not what I was thinking, I was under impression that NFQUEUE
> kind of behaves like LOG target i.e. does the processing/logging and moves to next rule.
>
> So due to this limitation, snort with NFQUEUE becomes usless for me. Because then
> I have to put NFQUEUE target after all rule processing, which means, it will NOT get all
> the traffic and would not detect for example, port scanning attempts.
>
> My idea was to make snort act as IDS and IPS, i.e. alert for things like port scanning
> and DROP for things like SQL injection.
>
> Anyway thanks all for replies.
>
> AMM
>




More information about the Snort-users mailing list