IPS rules http not match in NFQUEUE

josep_maria_bella · August 3, 2024, 5:19am

Hello,

I am a professor and I am designing a practical exercise for students where they will use Suricata to block traffic that exploits application vulnerabilities like SQL Injection. The goal is for them to learn how to create their own rules.

I have configured Suricata using nfqueue and everything seems to be working. However, when I start creating rules, it appears that nfqueue does not detect alerts that af_packet does. Moreover, a simple rule is detected when using nfqueue.

My issue is that rules involving http.uri, http_uri, uricontent, etc., do not work with nfqueue but work fine with af_packet.

For example, I want to detect if someone accesses the web page http://172.20.120.254/admin.php.

Here are the rules that work and are detected correctly:

alert tcp any any -> any any (msg:"WORKS 1"; sid: 999001; rev:1;)
alert tcp any any -> any any (msg:"WORKS 2"; content:"admin.php"; sid:173031; rev:1;)

But these do not (works only on af_packet configuration):

alert tcp any any -> any any (msg:"NOT WORKS 1"; content:"admin.php"; http_uri; sid:172031; rev:1;)
alert tcp any any -> any any (msg:"NOT WORKS 2"; uricontent:"admin.php"; sid:172032; rev:1;)
alert tcp any any -> any any (msg:"NOT WORKS 3"; content:"admin.php"; http_header; sid:172033; rev:1;)
alert tcp any any -> any any (msg:"NOT WORKS 4"; http.uri; content:"admin.php"; sid:172034; rev:1;)

Do you know what might be happening? Or where could I find information about this?

Thank you very much, JB

Andreas_Herz · August 7, 2024, 8:10pm

What version of Suricata do you run?
Also post the suricata.yaml, the run commands (for both the nfqueue and the af_packet scenario) alongside stats.log and suricata.log so we can do a basic check on that.
Please post the netfilter config part as well, maybe not all packets are actually going through the correct path.

josep_maria_bella · August 8, 2024, 3:38am

Regards,
First of all, thank you very much for answering, I will put everything you ask me.

This Suricata suricata version 7.0.6, works in Apache Proxy, listen on enp3s0 (172.20.119.254/24) and send to enp4s0 (172.20.120.1/24):

<Proxy balancer://mycluster>
    BalancerMember http://172.20.120.100:1337 loadfactor=1
    ProxySet lbmethod=byrequests
</Proxy>

/etc/default/suricata:

RUN=yes
RUN_AS_USER=
SURCONF=/etc/suricata/suricata.yaml
LISTENMODE=nfqueue
IFACE=enp4s0
NFQUEUE="-q 0"
CUSTOM_NFQUEUE="-q 0 -q 1 -q 2 -q 3"
PIDFILE=/var/run/suricata.pid

/etc/ufw/before.rules:

-A ufw-before-output -o enp4s0 -j NFQUEUE --queue-num 0

I supose that i need to put most important settings:

/etc/suricata.yamls:

vars:
  address-groups:
    HOME_NET: "[172.20.120.0/24]"
    EXTERNAL_NET: "!$HOME_NET"
default-log-dir: /var/log/suricata/
outputs:
  - fast:
      enabled: yes
      filename: fast.log
      append: yes
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json
      level: Debug
     types:
        - alert:
            payload: yes            
            payload-buffer-size: 4kb 
            payload-printable: yes   
            packet: yes              
            metadata: no             
            http-body: yes           
            http-body-printable: yes 
            http: yes
            tagged-packets: yes
        - http:
            extended: yes 
            dump-all-headers: both
 - http-log:
      enabled: yes
      filename: http.log
      append: yes
- stats:
      enabled: yes
      filename: stats.log
      append: yes       # append to file (yes) or overwrite it (no)
      totals: yes       # stats for all threads merged together
      threads: no       # per thread stats
- stats:
      enabled: yes
      filename: stats.log
      append: yes    
      totals: yes       
      threads: no      
af-packet:
  - interface: enp4s0
    cluster-id: 99
    cluster-type: cluster_flow
    use-mmap: yes
    defrag: yes
    tpacket-v3: yes
app-layer:
  protocols:
    http2:
      enabled: yes
    http:
      enabled: yes
      libhtp:
         default-config:
           personality: IPS

           request-body-limit: 100kb
           response-body-limit: 100kb

           # inspection limits
           request-body-minimal-inspect-size: 32kb
           request-body-inspect-window: 4kb
           response-body-minimal-inspect-size: 40kb
           response-body-inspect-window: 16kb

           response-body-decompress-layer-limit: 2

           http-body-inline: yes

           swf-decompression:
             enabled: no
             type: both
             compress-depth: 100kb
             decompress-depth: 100kb

### The other settings are all in default mode

/var/lib/suricata/rules/local.rules:

alert tcp any any -> 172.20.120.100 1337 (msg:"WORKS 1"; sid: 999001; rev:1;)
alert tcp any any -> 172.20.120.100 1337 (msg:"WORKS 2"; content:"admin.php"; sid:172031; rev:1;)

alert tcp any any -> 172.20.120.100 1337 (msg:"NOT WORKS 1"; content:"admin.php"; http_uri; sid:173031; rev:1;)
alert tcp any any -> 172.20.120.100 1337 (msg:"NOT WORKS 2"; uricontent:"admin.php"; sid:173032; rev:1;)
alert tcp any any -> 172.20.120.100 1337 (msg:"NOT WORKS 4"; http.uri; content:"admin.php"; sid:132034; rev:1;)

With NFQUEUE only tiggered two first /var/log/suricata/eve.json:

{"timestamp":"2024-08-08T05:53:15.646993+0200","flow_id":1089966895035876,"event_type":"alert","src_ip":"172.20.120.1","src_port":35622,"dest_ip":"172.20.120.100","dest_port":1337,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":999001,"rev":1,"signature":"WORKS 1","category":"","severity":3},"direction":"to_server","payload_printable":"","stream":0,"packet":"RQAAPIA9QABABnHwrBR4AawUeGSLJgU5zGFzswAAAACgAvrwDO4AAAIEBbQEAggK2SJN+wAAAAABAwMH","packet_info":{"linktype":12}}

{"timestamp":"2024-08-08T05:53:15.651715+0200","flow_id":1089966895035876,"event_type":"alert","src_ip":"172.20.120.1","src_port":35622,"dest_ip":"172.20.120.100","dest_port":1337,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":172031,"rev":1,"signature":"WORKS 2","category":"","severity":3},"direction":"to_server","payload":"R0VUIC9jc3MvYWRtaW4uY3NzIEhUVFAvMS4xDQpIb3N0OiAxNzIuMjAuMTIwLjEwMDoxMzM3DQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBMaW51eCB4ODZfNjQ7IHJ2OjEyOC4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEyOC4wDQpBY2NlcHQ6IHRleHQvY3NzLCovKjtxPTAuMQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpSZWZlcmVyOiBodHRwOi8vMTcyLjIwLjExOS4yNTQvYWRtaW4ucGhwDQpETlQ6IDENClByaW9yaXR5OiB1PTINClByYWdtYTogbm8tY2FjaGUNCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlDQpYLUZvcndhcmRlZC1Gb3I6IDE3Mi4yMC4xMTkuMjAwDQpYLUZvcndhcmRlZC1Ib3N0OiAxNzIuMjAuMTE5LjI1NA0KWC1Gb3J3YXJkZWQtU2VydmVyOiAxMjcuMC4xLjENCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0K","payload_printable":"GET /css/admin.css HTTP/1.1\r\nHost: 172.20.120.100:1337\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\r\nAccept: text/css,*/*;q=0.1\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://172.20.119.254/admin.php\r\nDNT: 1\r\nPriority: u=2\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nX-Forwarded-For: 172.20.119.200\r\nX-Forwarded-Host: 172.20.119.254\r\nX-Forwarded-Server: 127.0.1.1\r\nConnection: Keep-Alive\r\n\r\n","stream":0,"packet":"RQACBYBBQABABnAjrBR4AawUeGSLJgU5zGF1ldgR8zuAGAH18IwAAAEBCArZIk4AK4bmTUdFVCAvY3NzL2FkbWluLmNzcyBIVFRQLzEuMQ0KSG9zdDogMTcyLjIwLjEyMC4xMDA6MTMzNw0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFgxMTsgTGludXggeDg2XzY0OyBydjoxMjguMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMjguMA0KQWNjZXB0OiB0ZXh0L2NzcywqLyo7cT0wLjENCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KUmVmZXJlcjogaHR0cDovLzE3Mi4yMC4xMTkuMjU0L2FkbWluLnBocA0KRE5UOiAxDQpQcmlvcml0eTogdT0yDQpQcmFnbWE6IG5vLWNhY2hlDQpDYWNoZS1Db250cm9sOiBuby1jYWNoZQ0KWC1Gb3J3YXJkZWQtRm9yOiAxNzIuMjAuMTE5LjIwMA0KWC1Gb3J3YXJkZWQtSG9zdDogMTcyLjIwLjExOS4yNTQNClgtRm9yd2FyZGVkLVNlcnZlcjogMTI3LjAuMS4xDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQoNCg==","packet_info":{"linktype":12}}

And /var/log/suricata/http.log is empty, is possible this is an error? And the other 4 rules should writed here?

AF_PACKET config:
Only change on /etc/default/suricata:

LISTENMODE=af-packet

and comment #-A ufw-before-output -o enp4s0 -j NFQUEUE --queue-num 0 on rules ufw.

restart, and /var/log/suricata/eve.json:

{"timestamp":"2024-08-08T06:07:50.378287+0200","flow_id":1906206277821744,"in_iface":"enp4s0","event_type":"alert","src_ip":"172.20.120.1","src_port":57570,"dest_ip":"172.20.120.100","dest_port":1337,"proto":"TCP","pkt_src":"wire/pcap","alert":{"action":"allowed","gid":1,"signature_id":999001,"rev":1,"signature":"WORKS 1","category":"","severity":3},"direction":"to_server","payload_printable":"","stream":0,"packet":"UlQAQBiQUlQAdbZHCABFAAA8nU1AAEAGVOCsFHgBrBR4ZODiBTnJ0uSxAAAAAKAC+vBIvQAAAgQFtAQCCArZL6bmAAAAAAEDAwc=","packet_info":{"linktype":1}}
{"timestamp":"2024-08-08T06:07:50.384747+0200","flow_id":1906206277821744,"in_iface":"enp4s0","event_type":"http","src_ip":"172.20.120.1","src_port":57570,"dest_ip":"172.20.120.100","dest_port":1337,"proto":"TCP","pkt_src":"wire/pcap","tx_id":0,"http":{"hostname":"172.20.119.254","url":"/","http_user_agent":"Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0","xff":"172.20.119.200","http_content_type":"text/html","http_method":"GET","protocol":"HTTP/1.1","status":200,"length":340,"request_headers":[{"name":"Host","value":"172.20.119.254"},{"name":"User-Agent","value":"Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"},{"name":"Accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8"},{"name":"Accept-Language","value":"en-US,en;q=0.5"},{"name":"Accept-Encoding","value":"gzip, deflate, br, zstd"},{"name":"DNT","value":"1"},{"name":"Cookie","value":"PHPSESSID=plim66scse51iiqfg3esvj8l36"},{"name":"Upgrade-Insecure-Requests","value":"1"},{"name":"Sec-Fetch-Dest","value":"document"},{"name":"Sec-Fetch-Mode","value":"navigate"},{"name":"Sec-Fetch-Site","value":"none"},{"name":"Sec-Fetch-User","value":"?1"},{"name":"Priority","value":"u=0, i"},{"name":"X-Forwarded-For","value":"172.20.119.200"},{"name":"X-Forwarded-Host","value":"172.20.119.254"},{"name":"X-Forwarded-Server","value":"127.0.1.1"},{"name":"Connection","value":"Keep-Alive"}],"response_headers":[{"name":"Date","value":"Thu, 08 Aug 2024 04:07:50 GMT"},{"name":"Server","value":"Apache/2.4.29 (Ubuntu)"},{"name":"Vary","value":"Accept-Encoding"},{"name":"Content-Encoding","value":"gzip"},{"name":"Content-Length","value":"340"},{"name":"Keep-Alive","value":"timeout=5, max=100"},{"name":"Connection","value":"Keep-Alive"},{"name":"Content-Type","value":"text/html; charset=UTF-8"}]}}

{"timestamp":"2024-08-08T06:07:54.250996+0200","flow_id":1906206277821744,"in_iface":"enp4s0","event_type":"alert","src_ip":"172.20.120.1","src_port":57570,"dest_ip":"172.20.120.100","dest_port":1337,"proto":"TCP","pkt_src":"wire/pcap","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":173031,"rev":1,"signature":"NOT WORKS 1","category":"","severity":3},"app_proto":"http","direction":"to_server","payload":"R0VUIC8gSFRUUC8xLjENCkhvc3Q6IDE3Mi4yMC4xMTkuMjU0DQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBMaW51eCB4ODZfNjQ7IHJ2OjEyOC4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEyOC4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9wbmcsaW1hZ2Uvc3ZnK3htbCwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIsIHpzdGQNCkROVDogMQ0KQ29va2llOiBQSFBTRVNTSUQ9cGxpbTY2c2NzZTUxaWlxZmczZXN2ajhsMzYNClVwZ3JhZGUtSW5zZWN1cmUtUmVxdWVzdHM6IDENClNlYy1GZXRjaC1EZXN0OiBkb2N1bWVudA0KU2VjLUZldGNoLU1vZGU6IG5hdmlnYXRlDQpTZWMtRmV0Y2gtU2l0ZTogbm9uZQ0KU2VjLUZldGNoLVVzZXI6ID8xDQpQcmlvcml0eTogdT0wLCBpDQpYLUZvcndhcmRlZC1Gb3I6IDE3Mi4yMC4xMTkuMjAwDQpYLUZvcndhcmRlZC1Ib3N0OiAxNzIuMjAuMTE5LjI1NA0KWC1Gb3J3YXJkZWQtU2VydmVyOiAxMjcuMC4xLjENCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hZG1pbi5waHAgSFRUUC8xLjENCkhvc3Q6IDE3Mi4yMC4xMTkuMjU0DQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBMaW51eCB4ODZfNjQ7IHJ2OjEyOC4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEyOC4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9wbmcsaW1hZ2Uvc3ZnK3htbCwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIsIHpzdGQNClJlZmVyZXI6IGh0dHBzOi8vMTcyLjIwLjExOS4yNTQvDQpETlQ6IDENCkNvb2tpZTogUEhQU0VTU0lEPXBsaW02NnNjc2U1MWlpcWZnM2Vzdmo4bDM2DQpVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxDQpTZWMtRmV0Y2gtRGVzdDogZG9jdW1lbnQNClNlYy1GZXRjaC1Nb2RlOiBuYXZpZ2F0ZQ0KU2VjLUZldGNoLVNpdGU6IHNhbWUtb3JpZ2luDQpTZWMtRmV0Y2gtVXNlcjogPzENClByaW9yaXR5OiB1PTAsIGkNClgtRm9yd2FyZGVkLUZvcjogMTcyLjIwLjExOS4yMDANClgtRm9yd2FyZGVkLUhvc3Q6IDE3Mi4yMC4xMTkuMjU0DQpYLUZvcndhcmRlZC1TZXJ2ZXI6IDEyNy4wLjEuMQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KDQo=","payload_printable":"GET / HTTP/1.1\r\nHost: 172.20.119.254\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nDNT: 1\r\nCookie: PHPSESSID=plim66scse51iiqfg3esvj8l36\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: none\r\nSec-Fetch-User: ?1\r\nPriority: u=0, i\r\nX-Forwarded-For: 172.20.119.200\r\nX-Forwarded-Host: 172.20.119.254\r\nX-Forwarded-Server: 127.0.1.1\r\nConnection: Keep-Alive\r\n\r\nGET /admin.php HTTP/1.1\r\nHost: 172.20.119.254\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nReferer: https://172.20.119.254/\r\nDNT: 1\r\nCookie: PHPSESSID=plim66scse51iiqfg3esvj8l36\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-User: ?1\r\nPriority: u=0, i\r\nX-Forwarded-For: 172.20.119.200\r\nX-Forwarded-Host: 172.20.119.254\r\nX-Forwarded-Server: 127.0.1.1\r\nConnection: Keep-Alive\r\n\r\n","stream":1,"packet":"UlQAQBiQUlQAdbZHCABFAAA0nVJAAEAGVOOsFHgBrBR4ZODiBTnJ0uncUnjpbIAQAfVItQAAAQEICtkvtgcrlE5U","packet_info":{"linktype":1}}
{"timestamp":"2024-08-08T06:07:54.250996+0200","flow_id":1906206277821744,"in_iface":"enp4s0","event_type":"alert","src_ip":"172.20.120.1","src_port":57570,"dest_ip":"172.20.120.100","dest_port":1337,"proto":"TCP","pkt_src":"wire/pcap","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":173032,"rev":1,"signature":"NOT WORKS 2","category":"","severity":3},"app_proto":"http","direction":"to_server","payload":"R0VUIC8gSFRUUC8xLjENCkhvc3Q6IDE3Mi4yMC4xMTkuMjU0DQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBMaW51eCB4ODZfNjQ7IHJ2OjEyOC4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEyOC4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9wbmcsaW1hZ2Uvc3ZnK3htbCwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIsIHpzdGQNCkROVDogMQ0KQ29va2llOiBQSFBTRVNTSUQ9cGxpbTY2c2NzZTUxaWlxZmczZXN2ajhsMzYNClVwZ3JhZGUtSW5zZWN1cmUtUmVxdWVzdHM6IDENClNlYy1GZXRjaC1EZXN0OiBkb2N1bWVudA0KU2VjLUZldGNoLU1vZGU6IG5hdmlnYXRlDQpTZWMtRmV0Y2gtU2l0ZTogbm9uZQ0KU2VjLUZldGNoLVVzZXI6ID8xDQpQcmlvcml0eTogdT0wLCBpDQpYLUZvcndhcmRlZC1Gb3I6IDE3Mi4yMC4xMTkuMjAwDQpYLUZvcndhcmRlZC1Ib3N0OiAxNzIuMjAuMTE5LjI1NA0KWC1Gb3J3YXJkZWQtU2VydmVyOiAxMjcuMC4xLjENCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hZG1pbi5waHAgSFRUUC8xLjENCkhvc3Q6IDE3Mi4yMC4xMTkuMjU0DQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBMaW51eCB4ODZfNjQ7IHJ2OjEyOC4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEyOC4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9wbmcsaW1hZ2Uvc3ZnK3htbCwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIsIHpzdGQNClJlZmVyZXI6IGh0dHBzOi8vMTcyLjIwLjExOS4yNTQvDQpETlQ6IDENCkNvb2tpZTogUEhQU0VTU0lEPXBsaW02NnNjc2U1MWlpcWZnM2Vzdmo4bDM2DQpVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxDQpTZWMtRmV0Y2gtRGVzdDogZG9jdW1lbnQNClNlYy1GZXRjaC1Nb2RlOiBuYXZpZ2F0ZQ0KU2VjLUZldGNoLVNpdGU6IHNhbWUtb3JpZ2luDQpTZWMtRmV0Y2gtVXNlcjogPzENClByaW9yaXR5OiB1PTAsIGkNClgtRm9yd2FyZGVkLUZvcjogMTcyLjIwLjExOS4yMDANClgtRm9yd2FyZGVkLUhvc3Q6IDE3Mi4yMC4xMTkuMjU0DQpYLUZvcndhcmRlZC1TZXJ2ZXI6IDEyNy4wLjEuMQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KDQo=","payload_printable":"GET / HTTP/1.1\r\nHost: 172.20.119.254\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nDNT: 1\r\nCookie: PHPSESSID=plim66scse51iiqfg3esvj8l36\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: none\r\nSec-Fetch-User: ?1\r\nPriority: u=0, i\r\nX-Forwarded-For: 172.20.119.200\r\nX-Forwarded-Host: 172.20.119.254\r\nX-Forwarded-Server: 127.0.1.1\r\nConnection: Keep-Alive\r\n\r\nGET /admin.php HTTP/1.1\r\nHost: 172.20.119.254\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nReferer: https://172.20.119.254/\r\nDNT: 1\r\nCookie: PHPSESSID=plim66scse51iiqfg3esvj8l36\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-User: ?1\r\nPriority: u=0, i\r\nX-Forwarded-For: 172.20.119.200\r\nX-Forwarded-Host: 172.20.119.254\r\nX-Forwarded-Server: 127.0.1.1\r\nConnection: Keep-Alive\r\n\r\n","stream":1,"packet":"UlQAQBiQUlQAdbZHCABFAAA0nVJAAEAGVOOsFHgBrBR4ZODiBTnJ0uncUnjpbIAQAfVItQAAAQEICtkvtgcrlE5U","packet_info":{"linktype":1}}
{"timestamp":"2024-08-08T06:07:54.250996+0200","flow_id":1906206277821744,"in_iface":"enp4s0","event_type":"alert","src_ip":"172.20.120.1","src_port":57570,"dest_ip":"172.20.120.100","dest_port":1337,"proto":"TCP","pkt_src":"wire/pcap","tx_id":1,"alert":{"action":"allowed","gid":1,"signature_id":132034,"rev":1,"signature":"NOT WORKS 4","category":"","severity":3},"app_proto":"http","direction":"to_server","payload":"R0VUIC8gSFRUUC8xLjENCkhvc3Q6IDE3Mi4yMC4xMTkuMjU0DQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBMaW51eCB4ODZfNjQ7IHJ2OjEyOC4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEyOC4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9wbmcsaW1hZ2Uvc3ZnK3htbCwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIsIHpzdGQNCkROVDogMQ0KQ29va2llOiBQSFBTRVNTSUQ9cGxpbTY2c2NzZTUxaWlxZmczZXN2ajhsMzYNClVwZ3JhZGUtSW5zZWN1cmUtUmVxdWVzdHM6IDENClNlYy1GZXRjaC1EZXN0OiBkb2N1bWVudA0KU2VjLUZldGNoLU1vZGU6IG5hdmlnYXRlDQpTZWMtRmV0Y2gtU2l0ZTogbm9uZQ0KU2VjLUZldGNoLVVzZXI6ID8xDQpQcmlvcml0eTogdT0wLCBpDQpYLUZvcndhcmRlZC1Gb3I6IDE3Mi4yMC4xMTkuMjAwDQpYLUZvcndhcmRlZC1Ib3N0OiAxNzIuMjAuMTE5LjI1NA0KWC1Gb3J3YXJkZWQtU2VydmVyOiAxMjcuMC4xLjENCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0KR0VUIC9hZG1pbi5waHAgSFRUUC8xLjENCkhvc3Q6IDE3Mi4yMC4xMTkuMjU0DQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBMaW51eCB4ODZfNjQ7IHJ2OjEyOC4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzEyOC4wDQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL2F2aWYsaW1hZ2Uvd2VicCxpbWFnZS9wbmcsaW1hZ2Uvc3ZnK3htbCwqLyo7cT0wLjgNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjUNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZSwgYnIsIHpzdGQNClJlZmVyZXI6IGh0dHBzOi8vMTcyLjIwLjExOS4yNTQvDQpETlQ6IDENCkNvb2tpZTogUEhQU0VTU0lEPXBsaW02NnNjc2U1MWlpcWZnM2Vzdmo4bDM2DQpVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxDQpTZWMtRmV0Y2gtRGVzdDogZG9jdW1lbnQNClNlYy1GZXRjaC1Nb2RlOiBuYXZpZ2F0ZQ0KU2VjLUZldGNoLVNpdGU6IHNhbWUtb3JpZ2luDQpTZWMtRmV0Y2gtVXNlcjogPzENClByaW9yaXR5OiB1PTAsIGkNClgtRm9yd2FyZGVkLUZvcjogMTcyLjIwLjExOS4yMDANClgtRm9yd2FyZGVkLUhvc3Q6IDE3Mi4yMC4xMTkuMjU0DQpYLUZvcndhcmRlZC1TZXJ2ZXI6IDEyNy4wLjEuMQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KDQo=","payload_printable":"GET / HTTP/1.1\r\nHost: 172.20.119.254\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nDNT: 1\r\nCookie: PHPSESSID=plim66scse51iiqfg3esvj8l36\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: none\r\nSec-Fetch-User: ?1\r\nPriority: u=0, i\r\nX-Forwarded-For: 172.20.119.200\r\nX-Forwarded-Host: 172.20.119.254\r\nX-Forwarded-Server: 127.0.1.1\r\nConnection: Keep-Alive\r\n\r\nGET /admin.php HTTP/1.1\r\nHost: 172.20.119.254\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br, zstd\r\nReferer: https://172.20.119.254/\r\nDNT: 1\r\nCookie: PHPSESSID=plim66scse51iiqfg3esvj8l36\r\nUpgrade-Insecure-Requests: 1\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: same-origin\r\nSec-Fetch-User: ?1\r\nPriority: u=0, i\r\nX-Forwarded-For: 172.20.119.200\r\nX-Forwarded-Host: 172.20.119.254\r\nX-Forwarded-Server: 127.0.1.1\r\nConnection: Keep-Alive\r\n\r\n","stream":1,"packet":"UlQAQBiQUlQAdbZHCABFAAA0nVJAAEAGVOOsFHgBrBR4ZODiBTnJ0uncUnjpbIAQAfVItQAAAQEICtkvtgcrlE5U","packet_info":{"linktype":1}}

Have you an idea whats happend?

Thanks thanks thanks

vjulien · August 8, 2024, 5:45am

In your iptables rules you need to make sure that both sides of the traffic are sent to the same nfqueue. The listed rule suggests only “output” traffic, so “input” may be missing?

josep_maria_bella · August 10, 2024, 4:20am

OMG!!! Thanks

Now it’s working.

I wrote

-A ufw-before-output -o enp4s0 -j NFQUEUE --queue-num 0
-A ufw-before-input -i enp4s0 -j NFQUEUE --queue-num 0

Thanks!
JB

Topic		Replies	Views
Rule using http does not matching get request Rules	2	1174	January 18, 2022
Issues with Suricata Working as IDPS Help ips , rules	3	213	November 4, 2024
Is there any way in a rule to match a packet marked by iptables? Rules ips , rules	1	141	July 31, 2024
[SOLVED] NFQUEUE bypassing UFW rules Help	2	31	November 28, 2024
Suricata don't reject http/ssh Help ips	2	675	March 16, 2023

IPS rules http not match in NFQUEUE

Related topics