[Snort-users] tcp rules not working

Michael J. Sheldon msheldon at ...13552...
Thu Feb 16 12:12:57 EST 2017

So apparently, it was the iptables entry that was the problem

I had been using (from an example I had found):
iptables -t nat -A PREROUTING -j NFQUEUE --queue-num 2
This works fine for UDP and the initial tcp SYN, but apparently tcp packets *after* the SYN don't traverse the iptables nat rules

Switched to 
iptables -I INPUT -j NFQUEUE --queue-num 2

Now it's working exactly as expected.

Michael Sheldon
Dev-DNS Services

From: James Lay <jlay at ...13475...>
Sent: Wednesday, February 15, 2017 20:01
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] tcp rules not working

Your TCP flow will have a state.  Try flow:established.


On Wed, 2017-02-15 at 22:23 +0000, Michael J. Sheldon wrote:

I'm testing snort for use filtering DNS traffic. I have it set up using nfq inline

This rule works exactly as expected (drops requests for www.example.com<http://www.example.com>):
drop udp any any -> $HOME_NET $DNS_PORTS (msg:"TEST example.com"; flow:stateless; content:"|03|www|07|example|03|com|00|"; nocase; offset:12; sid:3100001; rev:1;)

This rule also works (alerts for all tcp inbound):
alert tcp any any -> $HOME_NET $DNS_PORTS (msg:"TEST all tcp"; sid:3100003; rev:1;)

This rule does NOT work:
drop tcp any any -> $HOME_NET $DNS_PORTS (msg:"TEST example.com"; flow:stateless; content:"|07|example|03|com|00|"; nocase; offset:12; sid:3100002; rev:1;)

After a LOT of playing with the rules, no matter what, if the protocol is TCP, and there is a "content" parameter at all, the rule will not match. tried variations on flow (stateless, to_server, to_client, etc)

I've got to be missing something incredibly simple, but at this point, no idea what it is.

Michael Sheldon
Dev-DNS Services

Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list