[Snort-users] A question now that I have nfq working

James Lay jlay at ...13475...
Tue Apr 8 20:19:20 EDT 2014


On Tue, 2014-04-08 at 16:49 -0600, James Lay wrote:

> So...it appears that that snort using nfq pass the packet along, if 
> it's not dropped by the IDS, regardless of other rules.  Example:
> 
> Let's say I have a rule:
> 
> drop tcp any any -> any 80 (msg:"Test 80"; sid:10000053;)
> 
> I send all my traffic to my INPUT with:
> 
> sudo /sbin/iptables -I INPUT -p tcp --dport 80 -j NFQUEUE --queue-num 1
> 
> But I also have a block rule say to 445:
> pkts bytes target     prot opt in     out     source               
> destination
>    699 57925 NFQUEUE    all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0            NFQUEUE num 1
>      0     0 DROP       tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0            tcp dpt:445
> 
> So even though I have this drop rule above to 445, I see:
> 
> telnet 192.168.1.6 445
> Trying 192.168.1.6...
> Connected to 192.168.1.6.
> Escape character is '^]'.
> 
> I've found that after passing through the nfqueue as not dropping, it 
> appears the packet is sent along, but not to the next iptables rule.  
> Can someone confirm this behavior?  Thank you.
> 
> James


This is an interesting situation.  Here's a sample...I have a firewall
that looks like:


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80     
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:139
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:445
10751  640K DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

So this is a whitelist approach....allow just want I want, and block the
rest, with the bottom rule the catch all.  My issue is that any rules
AFTER the queue rule are disregarded.  So if I do like so:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source
destination
   39  2940 NFQUEUE    all  --  *      *       0.0.0.0/0
0.0.0.0/0            NFQUEUE num 1
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:80     
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:139
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0            tcp dpt:445
10751  640K DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

Then any packets that snort doesn't drop, never reach the next rule.  Is
there a way to change this behavior?  Thanks.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140408/af808daa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140408/af808daa/attachment.sig>


More information about the Snort-users mailing list