I use Snort with NFQ in Slackware14.1.
And firewall file is
Code:
iptables -A OUTPUT -p tcp --sport 3389 -s 192.168.1.1 -j DROP
iptables -A INPUT -p tcp --dport 3389 -d 192.168.1.1 -j DROP
iptables -A OUTPUT -p udp --sport 3389 -s 192.168.1.1 -j DROP
iptables -A INPUT -p udp --dport 3389 -d 192.168.1.1 -j DROP
iptables -A OUTPUT -p tcp --dport 3389 -s 192.168.1.1 -j DROP
iptables -A INPUT -p tcp --sport 3389 -d 192.168.1.1 -j DROP
iptables -A OUTPUT -p udp --dport 3389 -s 192.168.1.1 -j DROP
iptables -A INPUT -p udp --sport 3389 -d 192.168.1.1 -j DROP
.
.
iptables -A INPUT -p tcp --sport 80 -m state -j NFQUEUE --queue-num 0
.
and one in local.rules is
Code:
drop ip any any -> $HOME_NET 3389 (msg:"drop win-rdp"; sid:1000040; rev:1;)
Then At accessing to Web.http, alert file of snort shows
Code:
[**] [1:1000040:1]
drop win-rdp [**]
[Priority: 0]
05/16-08:31:48.208168 ***.***.***.***:80 -> my ipaddress:51586
TCP TTL:229 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x8F463DDB Ack: 0x44F9656C Win: 0x68DF TcpLen: 40
TCP Options (5) => MSS: 1414 SackOK TS: 9239319 657280 NOP WS: 8
and so on
Why could Snort catch 3389 and where did 3389 come through ,
though I access to 80 port and even though Firewall prevents 3389?
Thanks.