[Oisf-users] nfq_set_mark question

kay kay.diam at gmail.com
Wed Jul 11 13:21:50 UTC 2012 

Dear Eric,

Don't apologize for the late answer, its ok. I have broken my mind
several times, but got new skills =)

Thank you very much, it works now. But I have questions:

1) I can not understand why you commented out the following strings:
> #  mode: accept
> #  repeat_mark: 1
> #  repeat_mask: 1
> #  route_queue: 2

I reviewed suricata sources and noticed that "nfq_set_verdict2" is
being used only with NFQ_ROUTE_MODE or NFQ_REPEAT_MODE cases
(source-nfq.c). How does it work in ACCEPT mode?

2) What is the sense and reason to use "repeat" mode and
repeat_mark/repeat_mask options if the marking functions in the
"accept mode" only and the marking can be implemented via rules?

3) Why I can't catch marked packed in "nat" table but can catch in
"mangle" table?

Thank you for your time.

2012/7/11 Eric Leblond <eric at regit.org>:
> Hello,
>
> Sorry for the late answer I was quite busy.
>
> Le mercredi 11 juillet 2012 à 15:38 +0400, kay a écrit :
>> Dear Eric,
>>
>> I read your articles several times
>> (https://home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricata-1-1beta2/,
>> http://home.regit.org/?page_id=7) but still can not understand how to
>> mark packets matched by some rule.
>>
>> What I need to achieve is just mark packet (i.e. with 0x80 mark) which
>> contains "TEST" word and it should be visible in "iptables -nvL" with
>> "iptables -A INPUT -p tcp -m mark --mark 0x80/0x80 -m tcp --sport 80
>> -j ACCEPT" rule. How should I configure Suricata and what rule should
>> I use? My previous configs doesn't work.
>
> Here's a detailed answer to this issue:
>
> The easiest way to do is to queue the packet in PREROUTING on the table
> raw:
>
> iptables -A PREROUTING -t raw  -p tcp -m tcp -j NFQUEUE --queue-num 0 --queue-bypass
>
> I've added --queue-bypass which is a relatively new option: if noone is
> listening in userspace to the Netfilter queue, the packet are accepted.
>
> Then you can check that the packet are marked by doing:
>
> iptables -I INPUT -m mark --mark 0x80/0x80
>
> No target is used because we just want a counter to be shown when doing
>
> iptables -L INPUT -nv
>
> I've made a simple rules file named "test-content.rules":
>
> pass tcp any any -> any any (content: "TEST"; msg: "TEST was redirected to honeypot!"; nfq_set_mark:0x80/0x80; sid:2455;)
>
> The nfq configuration is not changed from the default one:
>
> nfq:
> #  mode: accept
> #  repeat_mark: 1
> #  repeat_mask: 1
> #  route_queue: 2
>
> Now, we can start suricata:
>
> suricata -c etc/suricata.yaml -S etc/suricata/rules/test-content.rules -q 0
>
> To run the the test I've done from the same host
>
> # nc -l -p 80
>
> And
>
> $ telnet localhost 80
>
> Then on the root console I tape "TEST" + Enter
>
> Chain INPUT (policy DROP 651 packets, 145K bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     1    58            all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x80/0x80
>
> We've got a match.
>
> Hope it helps.
>
> BR,

More information about the Oisf-users mailing list