4

I'm trying to understand how iptables and NFQ work together with snort.

The reason that I ask this is because from what I understand snort can be set to IPS via NFQ but if you have iptables there essentially firewall rules hence my question as what I'm trying to do is drop packets that match to the rule below (split for readability):

drop tcp any any -> $HOME_NET 80 
  (flags:S; msg:"Possible TCP Dos Be Careful !!"; flow:stateless;
   detection_filter: track by_dst, count 70, seconds 10;
   sid:10001;rev:1;)

The caveat to this is that iptables also seems to be able to drop packets based on a rule, so if that's true, then what I’m asking is how does it all work together with respect to the configuration that I have when running snort (see below)?

vim /usr/local/snort/etc/snort.conf
config daq: nfq
config daq_mode: inline
config daq_var: queue=0

iptables --append FORWARD --jump NFQUEUE --queue-num 0

/usr/local/snort/bin/snort -m 027 -d -l /var/log/snort \
  -u snort -g snort -c /usr/local/snort/etc/snort.conf \
  -Q -S HOME_NET=[192.168.1.0/24]
dawud
  • 15,504
Danny
  • 41

1 Answers1

0

Well, I'm an average snort user and I'll try to give you more information about this in steps:

  1. Start a snort instance using nfq as the daq;
  2. Then you create a rule in iptables/ip6tables with NFQUEUE target, this rule sends the package to the userspace so snort can analisys it;

There are a few important things you must know (I've read them in seclist mail listing):

  1. The rules in iptables must be created after starting the snort instance;
  2. After the rule was sent to userspace and threated by snort any subsequent iptables rule in chain will be ignored;
  3. Snort with nfq as daq can't analisys ipv4 and ipv6 traffic simultaneously, so you have to create rules with iptables and ip6tables and each one should send to one snort instance (I'm not sure if they can send packages to the same queue);
Hugo do Carmo
  • 1