[Snort-users] Testing IPTABLES (Snort Inline Mode, NFQUEUE, Local Rules) No alerts!

From: turki <turki_00_at_nospam>
Date: Fri May 20 2011 - 15:54:24 GMT
To: snort-users@lists.sourceforge.net

Snort: 2.9.0.5 (inline mode with single interface eth0 using NFQ)
DAQ: 0.5
Barnyard2

Problem: Snort/Barnyard2 is not reporting any alerts to the following local rule (simple http traffic)

local.rules:

alert tcp any any <> any any (content:"www.yahoo.com"; msg:"NO YAHOO 4U"; sid:1000006;rev:1;)

--------------------------------
Iptables configuration:

> iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
NFQUEUE    icmp -- anywhere             anywhere            NFQUEUE num 0
NFQUEUE    tcp -- anywhere             anywhere            tcp dpt:www NFQUEUE
num 0
ACCEPT     all -- anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
NFQUEUE tcp -- anywhere anywhere tcp spt:www NFQUEUE
num 0

------------------------------------------------------------------------------------

Command to Run Snort:

> snort --daq nfq -Q -c snort.conf --daq-dir /usr/local/lib/daq --daq-var device=eth0

---------------------------------------------------------------------------------
I am running the following command to trigger the rule:

wget yahoo.com

--------------------------------------------------------------------------
Snort in PCAP mode is reporting alerts with the same rules, but the problem that in inline it is not.

Can you help me, please

------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its
next-generation tools to help Windows* and Linux* C/C++ and Fortran
developers boost performance applications - including clusters.
http://p.sf.net/sfu/intel-dev2devmay

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message: [ Message body ]
Next message: lay rando: "Re: [Snort-users] snort-NIDS inline mode configuration questions"
Previous message: Joel Esler: "Re: [Snort-users] preprocessors and thresholding broken with latest rules tarball?"
Next in thread: turki: "Re: [Snort-users] Testing IPTABLES (Snort Inline Mode, NFQUEUE, Local Rules) No alerts!"
Reply: turki: "Re: [Snort-users] Testing IPTABLES (Snort Inline Mode, NFQUEUE, Local Rules) No alerts!"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]