[Oisf-users] Suricata NFQ in PREROUTING chain

Pavel Stepanov rif.nsk at gmail.com
Wed May 29 02:03:00 UTC 2019 

Hi Andreas,

> Is this the whole iptables setup?
There is only one another iptables rule - 
Iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

> where Victor also mentioned that mangle table isn't meant for this purpose.
Sad to hear that.
In this setup, I wanted to mark packets with nfq_set_mark and then send them to proxy. (This is strange, but I didn't find any mention of nfq_set_mark in suricata.readthedocs.io)

Is there any possibility to manage traffic with suricata, not only block or accept packets?
For example, in af_packet mode send traffic from source to one or another interface depending on rules matching, or (as I hoped) mark packets in mangle PREROUTING and then manage them in iptables.

All what I want to do is:
1. suricata scan transit http traffic and block unwanted
2. suricata scan transit https traffic
3. suricata detect https sni and compare it to predefined list of hostnames (e.g. with lua script)
4. if sni matched, redirect traffic to transparent squid, where ssl will be bumped
5. squid send this traffic to simple echo icap server
6. suricata scan decrypted traffic between squid and icap and block unwanted

Is it possible somehow?
--
Regards, Pavel

-----Original Message-----
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of Andreas Herz
Sent: Wednesday, May 29, 2019 2:52 AM
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata NFQ in PREROUTING chain

Hi Paul,

On 28/05/19 at 09:06, Pavel Stepanov wrote:
> When I do
> iptables -t mangle -F ; iptables -t mangle -A FORWARD -m mark ! --mark 
> 0x1/0x1 -j NFQUEUE --queue-num 0 /var/log/suricata/tls.log and /var/log/suricata/http.log shows all http and tls traffic normally.
> But when I do
> iptables -t mangle -F ; iptables -t mangle -A PREROUTING -m mark ! 
> --mark 0x1/0x1 -j NFQUEUE --queue-num 0 /var/log/suricata/tls.log and /var/log/suricata/http.log stops show anything anymore.

Is this the whole iptables setup?

We also had a request similiar to that at our redmine, see
https://redmine.openinfosecfoundation.org/issues/2742 where Victor also mentioned that mangle table isn't meant for this purpose.

It might work but no guarantee.

--
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list