[Oisf-users] nfq_set_mark question
Eric Leblond
eric at regit.org
Wed Jul 11 12:44:33 UTC 2012
Hello,
Sorry for the late answer I was quite busy.
Le mercredi 11 juillet 2012 à 15:38 +0400, kay a écrit :
> Dear Eric,
>
> I read your articles several times
> (https://home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricata-1-1beta2/,
> http://home.regit.org/?page_id=7) but still can not understand how to
> mark packets matched by some rule.
>
> What I need to achieve is just mark packet (i.e. with 0x80 mark) which
> contains "TEST" word and it should be visible in "iptables -nvL" with
> "iptables -A INPUT -p tcp -m mark --mark 0x80/0x80 -m tcp --sport 80
> -j ACCEPT" rule. How should I configure Suricata and what rule should
> I use? My previous configs doesn't work.
Here's a detailed answer to this issue:
The easiest way to do is to queue the packet in PREROUTING on the table
raw:
iptables -A PREROUTING -t raw -p tcp -m tcp -j NFQUEUE --queue-num 0 --queue-bypass
I've added --queue-bypass which is a relatively new option: if noone is
listening in userspace to the Netfilter queue, the packet are accepted.
Then you can check that the packet are marked by doing:
iptables -I INPUT -m mark --mark 0x80/0x80
No target is used because we just want a counter to be shown when doing
iptables -L INPUT -nv
I've made a simple rules file named "test-content.rules":
pass tcp any any -> any any (content: "TEST"; msg: "TEST was redirected to honeypot!"; nfq_set_mark:0x80/0x80; sid:2455;)
The nfq configuration is not changed from the default one:
nfq:
# mode: accept
# repeat_mark: 1
# repeat_mask: 1
# route_queue: 2
Now, we can start suricata:
suricata -c etc/suricata.yaml -S etc/suricata/rules/test-content.rules -q 0
To run the the test I've done from the same host
# nc -l -p 80
And
$ telnet localhost 80
Then on the root console I tape "TEST" + Enter
Chain INPUT (policy DROP 651 packets, 145K bytes)
pkts bytes target prot opt in out source destination
1 58 all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x80/0x80
We've got a match.
Hope it helps.
BR,
>
> I do look forward to your help.
>
> 2012/7/10 kay <kay.diam at gmail.com>:
> > Hey guys, can anybody advice me?
> >
> > 2012/7/9 kay <kay.diam at gmail.com>:
> >> I've just installed suricata 1.3, but still can not detect marked
> >> packets with suricata. I was able to mark all the packets using
> >> "repeat" mode but this makes no sense. I need to mark only "bad"
> >> traffic and send it to firewall once again.
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
--
Eric Leblond
Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120711/7ef5e1f5/attachment.sig>
More information about the Oisf-users
mailing list