[Oisf-users] Empty http.log file
Victor Julien
victor at inliniac.net
Mon Jul 9 10:20:29 EDT 2012
On 07/09/2012 04:17 PM, kay wrote:
> Does anyone have any clue why http.log empty when suricata runs in NFQ
> "repeat" mode?
Does it work properly if you're using the normal accept/drop nfq mode?
Cheers,
Victor
> 2012/7/9 kay <kay.diam at gmail.com>:
>> I'm quite not understand what you mean... I copy-pasted these rules
>> from iptables-save:
>> # Generated by iptables-save v1.4.7 on Mon Jul 9 15:48:00 2012
>> *filter
>> :INPUT ACCEPT [4264:1708762]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [1949:515483]
>> -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j NFQUEUE
>> --queue-num 0
>> -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
>> -A OUTPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --sport 80 -j NFQUEUE
>> --queue-num 0
>> -A OUTPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --sport 80 -j ACCEPT
>> COMMIT
>> # Completed on Mon Jul 9 15:48:00 2012
>>
>> I run suricata in NFQ "repeat" mode with "-q 0" option.
>>
>> For some reason "accept" mode writes logs, but I need to use "mark"
>> functionality. Actually I cannot reach even "mark packets"
>> functionality in "repeat" mode too. That is why I created "--mark
>> 0x1/0x1 -m tcp --dport 80 -j ACCEPT" firewall rules for iptables
>> counter.
>>
>> Here is my rule:
>>
>> pass tcp any any -> any any (content: "TEST"; msg: "TEST string
>> test!"; nfq_set_mark:0x01/0x01; sid:2455;)
>>
>> 2012/7/9 Victor Julien <victor at inliniac.net>:
>>> On 07/09/2012 01:39 PM, kay wrote:
>>>> Here are iptables rules:
>>>>
>>>> -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j NFQUEUE
>>>> --queue-num 0
>>>> -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
>>>> -A OUTPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --sport 80 -j NFQUEUE
>>>> --queue-num 0
>>>> -A OUTPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --sport 80 -j ACCEPT
>>>
>>> Are these in the (default) filter table?
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>>
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list