[Snort-users] A question now that I have nfq working

Graham Murray graham at ...16778...
Tue Apr 15 09:52:08 EDT 2014


James Lay <jlay at ...13475...> writes:

> Well this has been an interesting exercise. Basically it boils down to
> this: either a packet in the Snort nfqueue is accepted and sent on, or
> it's dropped. Now dropped is self evident, but "accepted and sent on"
> means exactly that...sent up the stack, NOT to the next rule in the
> table..the packet is treated just like it had hit an iptables ACCEPT
> rule.

Maybe the solution to that would be to put the NFQ in the mangle table
PREROUTING chain rather than the filter table INPUT chain. That way if
snort accepted (via a verdict of NF_ACCEPT) the packet would traverse
the 'normal' filter rules.




More information about the Snort-users mailing list