I have set the following rules in iptables:
sudo iptables -I INPUT -i eth0 -p tcp -s 192.168.37.184 -j NFQUEUE
sudo iptables -I OUTPUT -p tcp --dport 3306 -j NFQUEUE
What I want to do is forward all Mysql traffic data to NFQ, and I wish to detect these data in Suricata, but these iptable rules not working as expected, only part of the data in NFQ goes into Suricata(or only part of data goes into NFQ). but when I set the following iptables:
sudo iptables -I INPUT -j NFQUEUE
sudo iptables -I OUTPUT -j NFQUEUE
This works well, all the packages go into NFQ and all detected by Suricata, but this iptable rule forward all the traffic onto NFQ, and this is not I want.
My question is how to set specific iptables rules only apply to Mysql protocol?
Check you have the NFQ kernel module loaded:
Check to see if packets are matching those iptables rules
To just use the Suricata target for MySQL, the following should work: