Greetings,
I am currently coming to terms with snort-inline with NFQUEUE
Ran Fedora9's configure and make "snort" with --enable-inline and
--enable-nfnetlink (etc) seems to work fine (save for a problem with
doc/Makefile.in being missing)
The added firewall rule (for testing):
iptables -t filter -I RH-Firewall-1-INPUT 1 -i lo -p tcp -m tcp
--dport 80 -j NFQUEUE --queue-num 99
iptables -t filter -I RH-Firewall-1-INPUT 1 -i lo -p tcp -m tcp
--dport 80 -j NFQUEUE --queue-num 99
iptables -t filter -I RH-Firewall-1-INPUT 1 -i lo -p tcp -m tcp
--dport 80 -j NFQUEUE --queue-num 77
With "modprobe ip_queue; modprobe nfnetlink_queue" and
"snort-inline -dv -Q" works perfect.
# iptable-save | grep queue
[10:1967] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j
NFQUEUE --queue-num 77
[14:2183] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j
NFQUEUE --queue-num 88
[48:5989] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j
NFQUEUE --queue-num 99
Then I browse http://localhost and get:
# iptable-save | grep queue
[21:3994] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j
NFQUEUE --queue-num 77
[14:2183] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j
NFQUEUE --queue-num 88
[48:5989] -A RH-Firewall-1-INPUT -i lo -p tcp -m tcp --dport 80 -j
NFQUEUE --queue-num 99
It appears the --queue-num 77 is being used.
The question:
* How do I get snort-inline listening to a specific NFQUEUE --queue-num?
* I googled a bit, maybe there is a document that can give me a hint?
Thanᚷ
NevilleDNZ
|
