[Snort-users] A question now that I have nfq working
graham at ...16778...
Tue Apr 15 09:52:08 EDT 2014
James Lay <jlay at ...13475...> writes:
> Well this has been an interesting exercise. Basically it boils down to
> this: either a packet in the Snort nfqueue is accepted and sent on, or
> it's dropped. Now dropped is self evident, but "accepted and sent on"
> means exactly that...sent up the stack, NOT to the next rule in the
> table..the packet is treated just like it had hit an iptables ACCEPT
Maybe the solution to that would be to put the NFQ in the mangle table
PREROUTING chain rather than the filter table INPUT chain. That way if
snort accepted (via a verdict of NF_ACCEPT) the packet would traverse
the 'normal' filter rules.
More information about the Snort-users