[Snort-users] Snort Inline w/ NFQ doesn't work after reboot

J Green corpengineer at ...11827...
Tue Nov 29 13:31:53 EST 2016


Appreciate the response.  Firewalld/iptables is up.  Though the only rule I
have in there is for access to the Barnyard web gui.

Thought that rules for inline were added as follows?

iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
iptables -I FORWARD -j NFQUEUE --queue-num 1

I did have this more granular, only allowing specific ports through the
bridge, but opened it up for troubleshooting purposes.

All interfaces are up and respond to pings.  I know that I am missing
something simple.

Thank you.



On Tue, Nov 29, 2016 at 9:25 AM, James Lay <jlay at ...13475...> wrote:

> On 2016-11-28 14:28, J Green wrote:
> > Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
> >
> > It works w/ NFQ inline.  However, if I reboot the VM, NFQ no longer
> > seems to work.  I do not see anything in the logs, etc.
> >
> > Here is how I am running Snort:
> >
> > snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c
> > /etc/snort/snort.conf &
> >
> > iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> > iptables -I FORWARD -j NFQUEUE --queue-num 1
> >
> > barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.us
> > [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
> >
> > Any input would be appreciated.
> >
> > Thank you.
> >
> >
> >
> > Links:
> > ------
> > [1] http://snort.us
> >
> > ------------------------------------------------------------
> ------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
>
> Make sure your IP tables rules are reapplied on reboot.
>
> James
>
> ------------------------------------------------------------
> ------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161129/da78fdda/attachment.html>


More information about the Snort-users mailing list