[Oisf-users] Empty http.log file

kay kay.diam at gmail.com
Mon Jul 9 14:23:17 UTC 2012 

Yes, it is.

2012/7/9 Victor Julien <victor at inliniac.net>:
> On 07/09/2012 04:17 PM, kay wrote:
>> Does anyone have any clue why http.log empty when suricata runs in NFQ
>> "repeat" mode?
>
> Does it work properly if you're using the normal accept/drop nfq mode?
>
> Cheers,
> Victor
>
>> 2012/7/9 kay <kay.diam at gmail.com>:
>>> I'm quite not understand what you mean... I copy-pasted these rules
>>> from iptables-save:
>>> # Generated by iptables-save v1.4.7 on Mon Jul  9 15:48:00 2012
>>> *filter
>>> :INPUT ACCEPT [4264:1708762]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [1949:515483]
>>> -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j NFQUEUE
>>> --queue-num 0
>>> -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
>>> -A OUTPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --sport 80 -j NFQUEUE
>>> --queue-num 0
>>> -A OUTPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --sport 80 -j ACCEPT
>>> COMMIT
>>> # Completed on Mon Jul  9 15:48:00 2012
>>>
>>> I run suricata in NFQ "repeat" mode with "-q 0" option.
>>>
>>> For some reason "accept" mode writes logs, but I need to use "mark"
>>> functionality. Actually I cannot reach even "mark packets"
>>> functionality in "repeat" mode too. That is why I created "--mark
>>> 0x1/0x1 -m tcp --dport 80 -j ACCEPT" firewall rules for iptables
>>> counter.
>>>
>>> Here is my rule:
>>>
>>> pass tcp any any -> any any (content: "TEST"; msg: "TEST string
>>> test!"; nfq_set_mark:0x01/0x01; sid:2455;)
>>>
>>> 2012/7/9 Victor Julien <victor at inliniac.net>:
>>>> On 07/09/2012 01:39 PM, kay wrote:
>>>>> Here are iptables rules:
>>>>>
>>>>> -A INPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --dport 80 -j NFQUEUE
>>>>> --queue-num 0
>>>>> -A INPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --dport 80 -j ACCEPT
>>>>> -A OUTPUT -p tcp -m mark ! --mark 0x1/0x1 -m tcp --sport 80 -j NFQUEUE
>>>>> --queue-num 0
>>>>> -A OUTPUT -p tcp -m mark --mark 0x1/0x1 -m tcp --sport 80 -j ACCEPT
>>>>
>>>> Are these in the (default) filter table?
>>>>
>>>> --
>>>> ---------------------------------------------
>>>> Victor Julien
>>>> http://www.inliniac.net/
>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>> ---------------------------------------------
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list