[Snort-inline-users] Got a problem with filtering packets

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Everybody,

I am having a problem to use snort_inline as a filter.

I have added iptables rules as follow for incoming web traffic.

iptables -t mangle -A INPUT -p tcp --syn --sport 80 -m state --state
NEW -j MARK --set-mark 1
iptables -t mangle -A INPUT -p tcp  --sport 80 -m state --state NEW -j
MARK --set-mark 2

iptables -I INPUT -m mark --mark 1 -j QUEUE
iptables -I INPUT -m mark --mark 2 -j QUEUE

and I have added a simple snort_inline rule for changin the pattern
"google" with "abcdef" pattern.

alert tcp any 80 -> $HOME_NET any (msg:"GIF file removed";
content:"google"; nocase; replace:"abcdef";)

But after starting snort_inline with QUEUE mode I am getting confused
I found that when I want to visit "www.google.com" it's going to
resolve "www.abcdef.com"

Here I have added this rule for replace the incoming payload's pattern
but it doing reverse.

Please tell me where am I wrong?

--
Yogdutt Sonivadia
Apropos Infotech Pvt. Ltd.
Bangalore
INDIA