Menu
▾
▴
[Snort-inline-users] Q: snort-inline listening to a specific NFQUEUE --queue-num?
|
From: NevilleDNZ/Snort <Nev...@sg...> - 2008-08-18 05:43:03
|
Greetings, I am currently coming to terms with snort-inline with NFQUEUE Ran Fedora9's configure and make "snort" with --enable-inline and --enable-nfnetlink (etc) seems to work fine (save for a problem with doc/Makefile.in being missing) The added firewall rule (for testing): iptables -t filter -I RH-Firewall-1-INPUT 1 -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 99 iptables -t filter -I RH-Firewall-1-INPUT 1 -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 99 iptables -t filter -I RH-Firewall-1-INPUT 1 -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 77 With "modprobe ip_queue; modprobe nfnetlink_queue" and "snort-inline -dv -Q" works perfect. # iptable-save | grep queue [10:1967] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 77 [14:2183] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 88 [48:5989] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 99 Then I browse http://localhost and get: # iptable-save | grep queue [21:3994] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 77 [14:2183] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 88 [48:5989] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j NFQUEUE --queue-num 99 It appears the --queue-num 77 is being used. The question: * How do I get snort-inline listening to a specific NFQUEUE --queue-num? * I googled a bit, maybe there is a document that can give me a hint? Thanᚷ NevilleDNZ |
