[Oisf-users] nfq_set_mark question

Eric Leblond eric at regit.org
Wed Jul 11 12:44:33 UTC 2012


Sorry for the late answer I was quite busy.

Le mercredi 11 juillet 2012 à 15:38 +0400, kay a écrit :
> Dear Eric,
> I read your articles several times
> (https://home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricata-1-1beta2/,
> http://home.regit.org/?page_id=7) but still can not understand how to
> mark packets matched by some rule.
> What I need to achieve is just mark packet (i.e. with 0x80 mark) which
> contains "TEST" word and it should be visible in "iptables -nvL" with
> "iptables -A INPUT -p tcp -m mark --mark 0x80/0x80 -m tcp --sport 80
> -j ACCEPT" rule. How should I configure Suricata and what rule should
> I use? My previous configs doesn't work.

Here's a detailed answer to this issue:

The easiest way to do is to queue the packet in PREROUTING on the table

iptables -A PREROUTING -t raw  -p tcp -m tcp -j NFQUEUE --queue-num 0 --queue-bypass

I've added --queue-bypass which is a relatively new option: if noone is
listening in userspace to the Netfilter queue, the packet are accepted.

Then you can check that the packet are marked by doing:

iptables -I INPUT -m mark --mark 0x80/0x80

No target is used because we just want a counter to be shown when doing 

iptables -L INPUT -nv

I've made a simple rules file named "test-content.rules":

pass tcp any any -> any any (content: "TEST"; msg: "TEST was redirected to honeypot!"; nfq_set_mark:0x80/0x80; sid:2455;)

The nfq configuration is not changed from the default one:

#  mode: accept
#  repeat_mark: 1
#  repeat_mask: 1
#  route_queue: 2

Now, we can start suricata:

suricata -c etc/suricata.yaml -S etc/suricata/rules/test-content.rules -q 0

To run the the test I've done from the same host

# nc -l -p 80


$ telnet localhost 80

Then on the root console I tape "TEST" + Enter

Chain INPUT (policy DROP 651 packets, 145K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    58            all  --  *      *              mark match 0x80/0x80

We've got a match.

Hope it helps.


> I do look forward to your help.
> 2012/7/10 kay <kay.diam at gmail.com>:
> > Hey guys, can anybody advice me?
> >
> > 2012/7/9 kay <kay.diam at gmail.com>:
> >> I've just installed suricata 1.3, but still can not detect marked
> >> packets with suricata. I was able to mark all the packets using
> >> "repeat" mode but this makes no sense. I need to mark only "bad"
> >> traffic and send it to firewall once again.
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Eric Leblond 
Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120711/7ef5e1f5/attachment.sig>

More information about the Oisf-users mailing list