Hi Everybody,
I am having a problem to use snort_inline as a filter.
I have added iptables rules as follow for incoming web traffic.
iptables -t mangle -A INPUT -p tcp --syn --sport 80 -m state --state
NEW -j MARK --set-mark 1
iptables -t mangle -A INPUT -p tcp --sport 80 -m state --state NEW -j
MARK --set-mark 2
iptables -I INPUT -m mark --mark 1 -j QUEUE
iptables -I INPUT -m mark --mark 2 -j QUEUE
and I have added a simple snort_inline rule for changin the pattern
"google" with "abcdef" pattern.
alert tcp any 80 -> $HOME_NET any (msg:"GIF file removed";
content:"google"; nocase; replace:"abcdef";)
But after starting snort_inline with QUEUE mode I am getting confused
I found that when I want to visit "www.google.com" it's going to
resolve "www.abcdef.com"
Here I have added this rule for replace the incoming payload's pattern
but it doing reverse.
Please tell me where am I wrong?
--
Yogdutt Sonivadia
Apropos Infotech Pvt. Ltd.
Bangalore
INDIA
|
