[Snort-users] A question now that I have nfq working
jlay at ...13475...
Tue Apr 8 18:49:00 EDT 2014
So...it appears that that snort using nfq pass the packet along, if
it's not dropped by the IDS, regardless of other rules. Example:
Let's say I have a rule:
drop tcp any any -> any 80 (msg:"Test 80"; sid:10000053;)
I send all my traffic to my INPUT with:
sudo /sbin/iptables -I INPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1
But I also have a block rule say to 445:
pkts bytes target prot opt in out source
699 57925 NFQUEUE all -- * * 0.0.0.0/0
0.0.0.0/0 NFQUEUE num 1
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
So even though I have this drop rule above to 445, I see:
telnet 192.168.1.6 445
Connected to 192.168.1.6.
Escape character is '^]'.
I've found that after passing through the nfqueue as not dropping, it
appears the packet is sent along, but not to the next iptables rule.
Can someone confirm this behavior? Thank you.
More information about the Snort-users