[Oisf-users] Empty http.log file
Victor Julien
victor at inliniac.net
Tue Jul 10 14:27:06 UTC 2012
You can't set marks in rules if your not receiving packet. Did you try
my suggestion?
On 07/10/2012 04:16 PM, kay wrote:
> Dear Victor,
>
> The rule I use is:
>
> pass tcp any any -> any any (content: "TEST"; msg: "TEST stringt!";
> nfq_set_mark:0x01/0x01; sid:2455;)
>
> Where I set proper mark for packet which suricata should catch. And I
> think that this packet should be logged and passed to another QUEUE
> but unfortunately it is not.
>
> 2012/7/10 Victor Julien <victor at inliniac.net>:
>> On 07/10/2012 04:08 PM, kay wrote:
>>> 10/7/2012 -- 18:02:30 - <Info> - NFQ running in REPEAT mode with mark 0/0
>>> 10/7/2012 -- 18:02:39 - <Info> - Packet seems already treated by suricata
>>> 10/7/2012 -- 18:02:39 - <Info> - Packet seems already treated by suricata
>>> 10/7/2012 -- 18:02:39 - <Info> - Packet seems already treated by suricata
>>> 10/7/2012 -- 18:02:39 - <Info> - Packet seems already treated by suricata
>>> 10/7/2012 -- 18:02:39 - <Info> - Packet seems already treated by suricata
>>
>> I think the mark you set if wrong. Can you set it to 1/1 in the yaml?
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list