[Oisf-users] nfq_set_mark question
Eric Leblond
eric at regit.org
Fri Jul 6 13:26:40 UTC 2012
Hello,
Le vendredi 06 juillet 2012 à 16:09 +0400, kay a écrit :
> Dear community,
>
> I would like to send all "bad" traffic to another server using mark
> capability, but always got:
> Packet seems already treated by suricata
I don't think it will work. See explanation below.
>
> Here are my iptables rules:
>
> iptables -t nat -A PREROUTING -p tcp -m mark --mark 0x1 -m tcp --dport
> 80 -j DNAT --to-destination HONEYPOT_IP
The DNAT rule is only evaluated when the connection the packet belong to
is in state NEW. Basically, this is the first packet of the connection.
This will be a SYN on TCP. There no real chance that suricata detect an
abnormal behaviour on this packet.
Even if it was working, the server would receive packets from a
connection which is already established. And the operating system would
not understand.
I continue the explanations below.
> iptables -t nat -A PREROUTING -p tcp -m mark ! --mark 0x1/0x1 -m tcp
> --dport 80 -j NFQUEUE --queue-num 0
> iptables -t nat -A POSTROUTING -d 172.16.98.64/32 -p tcp -m mark
> --mark 0x1 -m tcp --dport 80 -j SNAT --to-source SERVERIP
>
> Here are nfq settings:
> nfq:
> mode: repeat
With that setup, Suricata will reinject the packet at the top of
PREROUTING nat with a mark of 0x1 (mask being 0x1)...
>
> Here is suricata rule:
> pass tcp any any -> any any (content: "TEST"; msg: "TEST was
> redirected to honeypot!"; nfq_set_mark:0x01/0x01; sid:2455;)
This will clash here as bad packets have received the same mark.
>
> ------------------------------------------------------------------------------------------------------------------------
>
> Also I tried to use rules without prerouting and just catch the marked
> packets with pass rule:
>
> iptables -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j
> NFQUEUE --queue-num 0
> iptables -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
>
> But iptables -nvL showed that there are no any traffic in second table:
> ------------------------------------------------------------------------------------------------------------------------
> Chain INPUT (policy ACCEPT 975 packets, 82310 bytes)
> pkts bytes target prot opt in out source destination
> 385 43890 NFQUEUE tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 mark match !0x1/0x1 tcp dpt:80 NFQUEUE num 0
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 mark match 0x1/0x1 tcp dpt:80
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 595 packets, 205K bytes)
> pkts bytes target prot opt in out source destination
> ------------------------------------------------------------------------------------------------------------------------
> When I use drop suricata rule with INPUT iptables chain:
> drop tcp any any -> any any (content: "TEST"; msg: "TEST was
> redirected to honeypot!"; nfq_set_mark:0x01/0x01; sid:2455;)
> Traffic with TEST became dropped.
I don't get what's going on here. The ACCEPT rules should have match.
Which version of suricata are you using ?
> For some reason it cannot be dropped when I use PREROUTING chain...
>
> Why pass rule with nfq_set_mark doesn't work?
As said before PREROUTING nat only see the first packet ...
BR,
--
Eric Leblond
Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120706/49a4ae66/attachment.sig>
More information about the Oisf-users
mailing list