[Snort-users] tcp rules not working
Michael J. Sheldon
msheldon at ...13552...
Thu Feb 16 12:12:57 EST 2017
So apparently, it was the iptables entry that was the problem
I had been using (from an example I had found):
iptables -t nat -A PREROUTING -j NFQUEUE --queue-num 2
This works fine for UDP and the initial tcp SYN, but apparently tcp packets *after* the SYN don't traverse the iptables nat rules
iptables -I INPUT -j NFQUEUE --queue-num 2
Now it's working exactly as expected.
From: James Lay <jlay at ...13475...>
Sent: Wednesday, February 15, 2017 20:01
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] tcp rules not working
Your TCP flow will have a state. Try flow:established.
On Wed, 2017-02-15 at 22:23 +0000, Michael J. Sheldon wrote:
I'm testing snort for use filtering DNS traffic. I have it set up using nfq inline
This rule works exactly as expected (drops requests for www.example.com<http://www.example.com>):
drop udp any any -> $HOME_NET $DNS_PORTS (msg:"TEST example.com"; flow:stateless; content:"|03|www|07|example|03|com|00|"; nocase; offset:12; sid:3100001; rev:1;)
This rule also works (alerts for all tcp inbound):
alert tcp any any -> $HOME_NET $DNS_PORTS (msg:"TEST all tcp"; sid:3100003; rev:1;)
This rule does NOT work:
drop tcp any any -> $HOME_NET $DNS_PORTS (msg:"TEST example.com"; flow:stateless; content:"|07|example|03|com|00|"; nocase; offset:12; sid:3100002; rev:1;)
After a LOT of playing with the rules, no matter what, if the protocol is TCP, and there is a "content" parameter at all, the rule will not match. tried variations on flow (stateless, to_server, to_client, etc)
I've got to be missing something incredibly simple, but at this point, no idea what it is.
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users