[Oisf-users] Empty http.log file

kay kay.diam at gmail.com
Mon Jul 9 14:17:46 UTC 2012


Does anyone have any clue why http.log empty when suricata runs in NFQ
"repeat" mode?

2012/7/9 kay <kay.diam at gmail.com>:
> I'm quite not understand what you mean... I copy-pasted these rules
> from iptables-save:
> # Generated by iptables-save v1.4.7 on Mon Jul  9 15:48:00 2012
> *filter
> :INPUT ACCEPT [4264:1708762]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1949:515483]
> -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j NFQUEUE
> --queue-num 0
> -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
> -A OUTPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --sport 80 -j NFQUEUE
> --queue-num 0
> -A OUTPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --sport 80 -j ACCEPT
> COMMIT
> # Completed on Mon Jul  9 15:48:00 2012
>
> I run suricata in NFQ "repeat" mode with "-q 0" option.
>
> For some reason "accept" mode writes logs, but I need to use "mark"
> functionality. Actually I cannot reach even "mark packets"
> functionality in "repeat" mode too. That is why I created "--mark
> 0x1/0x1 -m tcp --dport 80 -j ACCEPT" firewall rules for iptables
> counter.
>
> Here is my rule:
>
> pass tcp any any -> any any (content: "TEST"; msg: "TEST string
> test!"; nfq_set_mark:0x01/0x01; sid:2455;)
>
> 2012/7/9 Victor Julien <victor at inliniac.net>:
>> On 07/09/2012 01:39 PM, kay wrote:
>>> Here are iptables rules:
>>>
>>> -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j NFQUEUE
>>> --queue-num 0
>>> -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
>>> -A OUTPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --sport 80 -j NFQUEUE
>>> --queue-num 0
>>> -A OUTPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --sport 80 -j ACCEPT
>>
>> Are these in the (default) filter table?
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users



More information about the Oisf-users mailing list