[Oisf-users] Fwd: nfq_set_mark question

kay kay.diam at gmail.com
Fri Jul 6 14:01:22 UTC 2012 

Dear Eric,

First of all thank you for detailed answer.

I use suricata 1.2.1, and I was happy to know that suricata can mark
and forward (NF_REPEAT) analyzed traffic back to chain. That can give
a lot of opportunities. And I decided to filter bad traffic to
honeypot host. Here is a scheme:
             INTERNET
                    |
                    |
                    |
                    |
                    |
-------------------------------------------
__________________
|WEB SERVER with suricata |  bad trafic   |        honeypot          |
| good trafic passed to           |------------------|_____webserver   ___|
| internal web server              |    DNAT
-------------------------------------------

According to your explanation my scheme wouldn't work. And I guess I
need to add ROUTER server with surricata, which will pass good trafic
to web server and bad traffic to honeypot. Am I right?



Anyway, let's start from simple rule... Let's only mark bad traffic
and show it in iptables counter. In that case I should create two
rules:
1) Pass whole web traffic to surricata:
iptables -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j
NFQUEUE --queue-num 0

2) Make visible marked traffic in iptables counters (iptables -nvL)
iptables -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT

I guess the following rule should mark bad traffic and use NF_REPEAT
verdict to pass bad traffic back to chain:
pass tcp any any -> any any (content: "TEST"; msg: "TEST was
redirected to honeypot!"; nfq_set_mark:0x01/0x01; sid:2455;)

Which mode should I set to NFQ module? "accept" or "repeat"? When I
set "repeat" mode with 1/1 marks, ALL web traffic passed to second
rule.

When I set "accept" mode, the traffic became accepted by suricata, and
no one packet became market, even with the "TEST" content.

2012/7/6 Eric Leblond <eric at regit.org>:
> Hello,
>
> Le vendredi 06 juillet 2012 à 16:09 +0400, kay a écrit :
>> Dear community,
>>
>> I would like to send all "bad" traffic to another server using mark
>> capability, but always got:
>> Packet seems already treated by suricata
>
> I don't think it will work. See explanation below.
>
>>
>> Here are my iptables rules:
>>
>> iptables -t nat -A PREROUTING -p tcp -m mark --mark 0x1 -m tcp --dport
>> 80 -j DNAT --to-destination HONEYPOT_IP
>
> The DNAT rule is only evaluated when the connection the packet belong to
> is in state NEW. Basically, this is the first packet of the connection.
> This will be a SYN on TCP. There no real chance that suricata detect an
> abnormal behaviour on this packet.
> Even if it was working, the server would receive packets from a
> connection which is already established. And the operating system would
> not understand.
>
> I continue the explanations below.
>
>> iptables -t nat -A PREROUTING -p tcp -m mark ! --mark 0x1/0x1 -m tcp
>> --dport 80 -j NFQUEUE --queue-num 0
>> iptables -t nat -A POSTROUTING -d 172.16.98.64/32 -p tcp -m mark
>> --mark 0x1 -m tcp --dport 80 -j SNAT --to-source SERVERIP
>>
>> Here are nfq settings:
>> nfq:
>>   mode: repeat
>
> With that setup, Suricata will reinject the packet at the top of
> PREROUTING nat with a mark of 0x1 (mask being 0x1)...
>
>>
>> Here is suricata rule:
>> pass tcp any any -> any any (content: "TEST"; msg: "TEST was
>> redirected to honeypot!"; nfq_set_mark:0x01/0x01; sid:2455;)
>
> This will clash here as bad packets have received the same mark.
>
>>
>> ------------------------------------------------------------------------------------------------------------------------
>>
>> Also I tried to use rules without prerouting and just catch the marked
>> packets with pass rule:
>>
>> iptables -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j
>> NFQUEUE --queue-num 0
>> iptables -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
>>
>> But iptables -nvL showed that there are no any traffic in second table:
>> ------------------------------------------------------------------------------------------------------------------------
>> Chain INPUT (policy ACCEPT 975 packets, 82310 bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>>   385 43890 NFQUEUE    tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           mark match !0x1/0x1 tcp dpt:80 NFQUEUE num 0
>>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           mark match 0x1/0x1 tcp dpt:80
>>
>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>>
>> Chain OUTPUT (policy ACCEPT 595 packets, 205K bytes)
>>  pkts bytes target     prot opt in     out     source               destination
>> ------------------------------------------------------------------------------------------------------------------------
>> When I use drop suricata rule with INPUT iptables chain:
>> drop tcp any any -> any any (content: "TEST"; msg: "TEST was
>> redirected to honeypot!"; nfq_set_mark:0x01/0x01; sid:2455;)
>> Traffic with TEST became dropped.
>
> I don't get what's going on here. The ACCEPT rules should have match.
> Which version of suricata are you using ?
>
>> For some reason it cannot be dropped when I use PREROUTING chain...
>>
>> Why pass rule with nfq_set_mark doesn't work?
>
>
> As said before PREROUTING nat only see the first packet ...
>
> BR,
> --
> Eric Leblond
> Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/

More information about the Oisf-users mailing list