Otdfbt

Prince of Darkness goes cryptic

Using too much dialogue?

Why'd a rational buyer offer to buy with no conditions precedent?

How does Dreadhorde Arcanist interact with split cards?

Comparison of bool data types in C++

Seeking closure over someone I have unblocked but whom I learned have passed on

Can diplomats be allowed on the flight deck of a commercial European airline?

How to find sum of maximum K elements in range in array

Did Game of Thrones end the way that George RR Martin intended?

Why is this integration method not valid?

Physical only checkdb is failing, but full one is completed successfully

I want to ask company flying me out for office tour if I can bring my fiance

How can I get a refund from a seller who only accepts Zelle?

Are cells guaranteed to get at least one mitochondrion when they divide?

Was this scene in S8E06 added because of fan reactions to S8E04?

What could be my risk mitigation strategies if my client wants to contract UAT?

"Official wife" or "Formal wife"?

How does the Earth's center produce heat?

Fill area of x^2+y^2>1 and x^2+y^2>4 using patterns and tikzpicture

Set outline first and fill colors later

To exponential digit growth and beyond!

Is superuser the same as root?

Why was this character made Grand Maester?

What happened to the Dothraki in S08E06?

How do iptables work with NFQ in terms of traffic shaping in snort?

Iptables QUEUE Target and Snorttraffic shaping for certain (local) usersTraffic statistics with iptables for passive FTP?iptables intercept local trafficTraffic shaping linux upload issueSnort not detecting outgoing trafficCan IPtables (possibly with libnetfilter_queue library) do everything that snort does?Running snort behind iptablesTraffic shaping outbound clients source ip with tc / iptablesSnort IDS on HAproxy with encrypted traffic

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

4

2

I'm trying to understand how iptables and NFQ work together with snort.

The reason that I ask this is because from what I understand snort can be set to IPS via NFQ but if you have iptables there essentially firewall rules hence my question as what I'm trying to do is drop packets that match to the rule below (split for readability):

drop tcp any any -> $HOME_NET 80 
 (flags:S; msg:"Possible TCP Dos Be Careful !!"; flow:stateless;
 detection_filter: track by_dst, count 70, seconds 10;
 sid:10001;rev:1;)

The caveat to this is that iptables also seems to be able to drop packets based on a rule, so if that's true, then what I’m asking is how does it all work together with respect to the configuration that I have when running snort (see below)?

vim /usr/local/snort/etc/snort.conf
config daq: nfq
config daq_mode: inline
config daq_var: queue=0

iptables --append FORWARD --jump NFQUEUE --queue-num 0

/usr/local/snort/bin/snort -m 027 -d -l /var/log/snort 
 -u snort -g snort -c /usr/local/snort/etc/snort.conf 
 -Q -S HOME_NET=[192.168.1.0/24]

iptables traffic blocking snort rules

share|improve this question

edited Apr 16 '15 at 22:44

dawud

13.6k33356

asked Apr 16 '15 at 6:47

Danny Danny

214

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  IMO this is a fairly interesting question, but the formatting/content is brutal -- use the code blocks and other text types to clean it up a bit, it will help you get answers & replies.
  
  – jlehtinen
  Apr 16 '15 at 13:51
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hi thanks for that, i hope it looks better now any improvements or advice welcome and appreciated
  
  – Danny
  Apr 16 '15 at 15:08
  

  
  
  
  

add a comment | 

4

2

I'm trying to understand how iptables and NFQ work together with snort.

The reason that I ask this is because from what I understand snort can be set to IPS via NFQ but if you have iptables there essentially firewall rules hence my question as what I'm trying to do is drop packets that match to the rule below (split for readability):

drop tcp any any -> $HOME_NET 80 
 (flags:S; msg:"Possible TCP Dos Be Careful !!"; flow:stateless;
 detection_filter: track by_dst, count 70, seconds 10;
 sid:10001;rev:1;)

The caveat to this is that iptables also seems to be able to drop packets based on a rule, so if that's true, then what I’m asking is how does it all work together with respect to the configuration that I have when running snort (see below)?

vim /usr/local/snort/etc/snort.conf
config daq: nfq
config daq_mode: inline
config daq_var: queue=0

iptables --append FORWARD --jump NFQUEUE --queue-num 0

/usr/local/snort/bin/snort -m 027 -d -l /var/log/snort 
 -u snort -g snort -c /usr/local/snort/etc/snort.conf 
 -Q -S HOME_NET=[192.168.1.0/24]

iptables traffic blocking snort rules

share|improve this question

edited Apr 16 '15 at 22:44

dawud

13.6k33356

asked Apr 16 '15 at 6:47

Danny Danny

214

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  IMO this is a fairly interesting question, but the formatting/content is brutal -- use the code blocks and other text types to clean it up a bit, it will help you get answers & replies.
  
  – jlehtinen
  Apr 16 '15 at 13:51
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hi thanks for that, i hope it looks better now any improvements or advice welcome and appreciated
  
  – Danny
  Apr 16 '15 at 15:08
  

  
  
  
  

add a comment | 

I'm trying to understand how iptables and NFQ work together with snort.

The reason that I ask this is because from what I understand snort can be set to IPS via NFQ but if you have iptables there essentially firewall rules hence my question as what I'm trying to do is drop packets that match to the rule below (split for readability):

drop tcp any any -> $HOME_NET 80 
 (flags:S; msg:"Possible TCP Dos Be Careful !!"; flow:stateless;
 detection_filter: track by_dst, count 70, seconds 10;
 sid:10001;rev:1;)

The caveat to this is that iptables also seems to be able to drop packets based on a rule, so if that's true, then what I’m asking is how does it all work together with respect to the configuration that I have when running snort (see below)?

vim /usr/local/snort/etc/snort.conf
config daq: nfq
config daq_mode: inline
config daq_var: queue=0

iptables --append FORWARD --jump NFQUEUE --queue-num 0

/usr/local/snort/bin/snort -m 027 -d -l /var/log/snort 
 -u snort -g snort -c /usr/local/snort/etc/snort.conf 
 -Q -S HOME_NET=[192.168.1.0/24]

iptables traffic blocking snort rules

share|improve this question

edited Apr 16 '15 at 22:44

dawud

13.6k33356

asked Apr 16 '15 at 6:47

Danny Danny

214

drop tcp any any -> $HOME_NET 80 
 (flags:S; msg:"Possible TCP Dos Be Careful !!"; flow:stateless;
 detection_filter: track by_dst, count 70, seconds 10;
 sid:10001;rev:1;)

vim /usr/local/snort/etc/snort.conf
config daq: nfq
config daq_mode: inline
config daq_var: queue=0

iptables --append FORWARD --jump NFQUEUE --queue-num 0

/usr/local/snort/bin/snort -m 027 -d -l /var/log/snort 
 -u snort -g snort -c /usr/local/snort/etc/snort.conf 
 -Q -S HOME_NET=[192.168.1.0/24]

share|improve this question

edited Apr 16 '15 at 22:44

dawud

13.6k33356

asked Apr 16 '15 at 6:47

Danny Danny

214

share|improve this question

edited Apr 16 '15 at 22:44

dawud

13.6k33356

asked Apr 16 '15 at 6:47

Danny Danny

214

edited Apr 16 '15 at 22:44

dawud

13.6k33356

edited Apr 16 '15 at 22:44

dawud

13.6k33356

asked Apr 16 '15 at 6:47

Danny Danny

214

asked Apr 16 '15 at 6:47

Danny Danny

214

1 Answer
1

active

oldest

votes

0

Well, I'm an average snort user and I'll try to give you more information about this in steps:

1. Start a snort instance using nfq as the daq;


2. Then you create a rule in iptables/ip6tables with NFQUEUE target, this rule sends the package to the userspace so snort can analisys it;

There are a few important things you must know (I've read them in seclist mail listing):

1. The rules in iptables must be created after starting the snort instance;


2. After the rule was sent to userspace and threated by snort any subsequent iptables rule in chain will be ignored;


3. Snort with nfq as daq can't analisys ipv4 and ipv6 traffic simultaneously, so you have to create rules with iptables and ip6tables and each one should send to one snort instance (I'm not sure if they can send packages to the same queue);

share|improve this answer

answered May 30 '16 at 12:34

Hugo do CarmoHugo do Carmo

11

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f683105%2fhow-do-iptables-work-with-nfq-in-terms-of-traffic-shaping-in-snort%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

Well, I'm an average snort user and I'll try to give you more information about this in steps:

1. Start a snort instance using nfq as the daq;


2. Then you create a rule in iptables/ip6tables with NFQUEUE target, this rule sends the package to the userspace so snort can analisys it;

There are a few important things you must know (I've read them in seclist mail listing):

1. The rules in iptables must be created after starting the snort instance;


2. After the rule was sent to userspace and threated by snort any subsequent iptables rule in chain will be ignored;


3. Snort with nfq as daq can't analisys ipv4 and ipv6 traffic simultaneously, so you have to create rules with iptables and ip6tables and each one should send to one snort instance (I'm not sure if they can send packages to the same queue);

share|improve this answer

answered May 30 '16 at 12:34

Hugo do CarmoHugo do Carmo

11

add a comment | 

0

Well, I'm an average snort user and I'll try to give you more information about this in steps:

1. Start a snort instance using nfq as the daq;


2. Then you create a rule in iptables/ip6tables with NFQUEUE target, this rule sends the package to the userspace so snort can analisys it;

There are a few important things you must know (I've read them in seclist mail listing):

1. The rules in iptables must be created after starting the snort instance;


2. After the rule was sent to userspace and threated by snort any subsequent iptables rule in chain will be ignored;


3. Snort with nfq as daq can't analisys ipv4 and ipv6 traffic simultaneously, so you have to create rules with iptables and ip6tables and each one should send to one snort instance (I'm not sure if they can send packages to the same queue);

share|improve this answer

answered May 30 '16 at 12:34

Hugo do CarmoHugo do Carmo

11

add a comment | 

Well, I'm an average snort user and I'll try to give you more information about this in steps:

1. Start a snort instance using nfq as the daq;


2. Then you create a rule in iptables/ip6tables with NFQUEUE target, this rule sends the package to the userspace so snort can analisys it;

There are a few important things you must know (I've read them in seclist mail listing):

1. The rules in iptables must be created after starting the snort instance;


2. After the rule was sent to userspace and threated by snort any subsequent iptables rule in chain will be ignored;


3. Snort with nfq as daq can't analisys ipv4 and ipv6 traffic simultaneously, so you have to create rules with iptables and ip6tables and each one should send to one snort instance (I'm not sure if they can send packages to the same queue);

share|improve this answer

answered May 30 '16 at 12:34

Hugo do CarmoHugo do Carmo

11

share|improve this answer

answered May 30 '16 at 12:34

Hugo do CarmoHugo do Carmo

11

answered May 30 '16 at 12:34

Hugo do CarmoHugo do Carmo

11

answered May 30 '16 at 12:34

Hugo do CarmoHugo do Carmo

11