[Oisf-users] nfq_set_mark question

Eric Leblond eric at regit.org
Fri Jul 6 13:26:40 UTC 2012 

Hello,

Le vendredi 06 juillet 2012 à 16:09 +0400, kay a écrit :
> Dear community,
> 
> I would like to send all "bad" traffic to another server using mark
> capability, but always got:
> Packet seems already treated by suricata

I don't think it will work. See explanation below.

> 
> Here are my iptables rules:
> 
> iptables -t nat -A PREROUTING -p tcp -m mark --mark 0x1 -m tcp --dport
> 80 -j DNAT --to-destination HONEYPOT_IP

The DNAT rule is only evaluated when the connection the packet belong to
is in state NEW. Basically, this is the first packet of the connection.
This will be a SYN on TCP. There no real chance that suricata detect an
abnormal behaviour on this packet.
Even if it was working, the server would receive packets from a
connection which is already established. And the operating system would
not understand.

I continue the explanations below.

> iptables -t nat -A PREROUTING -p tcp -m mark ! --mark 0x1/0x1 -m tcp
> --dport 80 -j NFQUEUE --queue-num 0
> iptables -t nat -A POSTROUTING -d 172.16.98.64/32 -p tcp -m mark
> --mark 0x1 -m tcp --dport 80 -j SNAT --to-source SERVERIP
> 
> Here are nfq settings:
> nfq:
>   mode: repeat

With that setup, Suricata will reinject the packet at the top of
PREROUTING nat with a mark of 0x1 (mask being 0x1)...

> 
> Here is suricata rule:
> pass tcp any any -> any any (content: "TEST"; msg: "TEST was
> redirected to honeypot!"; nfq_set_mark:0x01/0x01; sid:2455;)

This will clash here as bad packets have received the same mark.

> 
> ------------------------------------------------------------------------------------------------------------------------
> 
> Also I tried to use rules without prerouting and just catch the marked
> packets with pass rule:
> 
> iptables -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j
> NFQUEUE --queue-num 0
> iptables -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
> 
> But iptables -nvL showed that there are no any traffic in second table:
> ------------------------------------------------------------------------------------------------------------------------
> Chain INPUT (policy ACCEPT 975 packets, 82310 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>   385 43890 NFQUEUE    tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           mark match !0x1/0x1 tcp dpt:80 NFQUEUE num 0
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0           mark match 0x1/0x1 tcp dpt:80
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Chain OUTPUT (policy ACCEPT 595 packets, 205K bytes)
>  pkts bytes target     prot opt in     out     source               destination
> ------------------------------------------------------------------------------------------------------------------------
> When I use drop suricata rule with INPUT iptables chain:
> drop tcp any any -> any any (content: "TEST"; msg: "TEST was
> redirected to honeypot!"; nfq_set_mark:0x01/0x01; sid:2455;)
> Traffic with TEST became dropped.

I don't get what's going on here. The ACCEPT rules should have match.
Which version of suricata are you using ?

> For some reason it cannot be dropped when I use PREROUTING chain...
> 
> Why pass rule with nfq_set_mark doesn't work?


As said before PREROUTING nat only see the first packet ...

BR,
-- 
Eric Leblond 
Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120706/49a4ae66/attachment.sig>

More information about the Oisf-users mailing list