[Oisf-users] nfq_set_mark question

Eric Leblond eric at regit.org
Wed Jul 11 13:56:38 UTC 2012 

Hello,

Le mercredi 11 juillet 2012 à 17:21 +0400, kay a écrit :
> Dear Eric,
> 
> Don't apologize for the late answer, its ok. I have broken my mind
> several times, but got new skills =)
> 
> Thank you very much, it works now. But I have questions:
> 
> 1) I can not understand why you commented out the following strings:
> > #  mode: accept
> > #  repeat_mark: 1
> > #  repeat_mask: 1
> > #  route_queue: 2
> 
> I reviewed suricata sources and noticed that "nfq_set_verdict2" is
> being used only with NFQ_ROUTE_MODE or NFQ_REPEAT_MODE cases
> (source-nfq.c). How does it work in ACCEPT mode?

nfq_set_verdict2 is only used if we need to do advanced stuff on the
packet. The idea behind not using it in all case was to avoid adding
backward compatiblity code for people not having the v2.

> 2) What is the sense and reason to use "repeat" mode and
> repeat_mark/repeat_mask options if the marking functions in the
> "accept mode" only and the marking can be implemented via rules?

As said in my previous mail, I gave you AN answer to your question.
Marking work for repeat mode:

-A INPUT -p tcp -m tcp --dport 80 -m mark ! --mark 0x1/0x1 -j NFQUEUE --queue-num 0 --queue-bypass
-A INPUT -m mark --mark 0x80/0x80
-A INPUT -m mark --mark 0x1/0x1
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

with a suricata.yaml modified:

nfq:
  mode: repeat
  repeat_mark: 1
  repeat_mask: 1

> 3) Why I can't catch marked packed in "nat" table but can catch in
> "mangle" table?

Please reread my initial mail:
http://lists.openinfosecfoundation.org/pipermail/oisf-users/2012-July/001799.html

It explains that nat table is only used for the packet which do not
belong to an established connection. Thus you can't see the packet with
content.

BR,

> 
> Thank you for your time.
> 
> 2012/7/11 Eric Leblond <eric at regit.org>:
> > Hello,
> >
> > Sorry for the late answer I was quite busy.
> >
> > Le mercredi 11 juillet 2012 à 15:38 +0400, kay a écrit :
> >> Dear Eric,
> >>
> >> I read your articles several times
> >> (https://home.regit.org/2011/04/some-new-features-of-ips-mode-in-suricata-1-1beta2/,
> >> http://home.regit.org/?page_id=7) but still can not understand how to
> >> mark packets matched by some rule.
> >>
> >> What I need to achieve is just mark packet (i.e. with 0x80 mark) which
> >> contains "TEST" word and it should be visible in "iptables -nvL" with
> >> "iptables -A INPUT -p tcp -m mark --mark 0x80/0x80 -m tcp --sport 80
> >> -j ACCEPT" rule. How should I configure Suricata and what rule should
> >> I use? My previous configs doesn't work.
> >
> > Here's a detailed answer to this issue:
> >
> > The easiest way to do is to queue the packet in PREROUTING on the table
> > raw:
> >
> > iptables -A PREROUTING -t raw  -p tcp -m tcp -j NFQUEUE --queue-num 0 --queue-bypass
> >
> > I've added --queue-bypass which is a relatively new option: if noone is
> > listening in userspace to the Netfilter queue, the packet are accepted.
> >
> > Then you can check that the packet are marked by doing:
> >
> > iptables -I INPUT -m mark --mark 0x80/0x80
> >
> > No target is used because we just want a counter to be shown when doing
> >
> > iptables -L INPUT -nv
> >
> > I've made a simple rules file named "test-content.rules":
> >
> > pass tcp any any -> any any (content: "TEST"; msg: "TEST was redirected to honeypot!"; nfq_set_mark:0x80/0x80; sid:2455;)
> >
> > The nfq configuration is not changed from the default one:
> >
> > nfq:
> > #  mode: accept
> > #  repeat_mark: 1
> > #  repeat_mask: 1
> > #  route_queue: 2
> >
> > Now, we can start suricata:
> >
> > suricata -c etc/suricata.yaml -S etc/suricata/rules/test-content.rules -q 0
> >
> > To run the the test I've done from the same host
> >
> > # nc -l -p 80
> >
> > And
> >
> > $ telnet localhost 80
> >
> > Then on the root console I tape "TEST" + Enter
> >
> > Chain INPUT (policy DROP 651 packets, 145K bytes)
> >  pkts bytes target     prot opt in     out     source               destination
> >     1    58            all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x80/0x80
> >
> > We've got a match.
> >
> > Hope it helps.
> >
> > BR,
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

-- 
Eric Leblond 
Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120711/1836f321/attachment.sig>

More information about the Oisf-users mailing list