[Oisf-users] nfq_set_mark question
Eric Leblond
eric at regit.org
Fri Jul 27 14:06:54 UTC 2012
Hello,
Le vendredi 27 juillet 2012 à 17:57 +0400, kay a écrit :
> Dear Eric,
>
> Finally I realized how to make dreams true with xtables-addons:
Nice to hear that !
> iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m set
> --match-set honeypot src -j RAWDNAT --to-destination ${HONEYPOT}
> iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m mark !
> --mark 0x1/0x1 -j NFQUEUE --queue-num 0 --queue-bypass
> iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m mark --mark
> 0x2/0xfe -j SET --add-set honeypot src
> iptables -t raw -A PREROUTING -p tcp -m tcp --dport 80 -m mark --mark
> 0x2/0xfe -j RAWDNAT --to-destination ${HONEYPOT}
> ipset create honeypot hash:ip timeout ${TIMEOUT}
>
> On the honeypot we should add:
> iptables -t rawpost -A POSTROUTING -p tcp -m tcp --sport 80 -j RAWSNAT
> --to-source ${REALSERVER}
>
> When traffic was redirected the web server on honeypot it gets invalid
> packets without handshake and automatically tries to reestablish
> connection (I don't know if it's RFC stuff) so client's web browser
> doesn't show any error messages. This solution works like a charm!
That's just too kind of the server ! But this result is just great!
Thanks to let us know.
BR,
>
> Happy Sysadmin Day!
>
> 2012/7/11 Eric Leblond <eric at regit.org>:
> > No, it just can't work. One solution could be to have suricata drop the
> > malicious packet and trigger an alert. Then via a external tool you
> > parse the alert and add the IP to a list of address which is nat. You
> > can use ipset for instance.
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
--
Eric Leblond
Blog: http://home.regit.org/ - Portfolio: http://regit.500px.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120727/cdf3aa1e/attachment.sig>
More information about the Oisf-users
mailing list