[Snort-users] Snort Inline w/ NFQ doesn't work after reboot

J Green corpengineer at ...11827...
Tue Nov 29 13:48:37 EST 2016


Upon reboot, I enter those (2) iptables commands manually, before running
barnyard.

Still does not work.


Thank you.




On Tue, Nov 29, 2016 at 10:41 AM, James Lay <jlay at ...13475...>
wrote:

>
> On 2016-11-29 11:31, J Green wrote:
> > Appreciate the response.  Firewalld/iptables is up.  Though the only
> > rule I have in there is for access to the Barnyard web gui.
> >
> > Thought that rules for inline were added as follows?
> >
> > iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> > iptables -I FORWARD -j NFQUEUE --queue-num 1
> >
> > I did have this more granular, only allowing specific ports through
> > the bridge, but opened it up for troubleshooting purposes.
> >
> > All interfaces are up and respond to pings.  I know that I am missing
> > something simple.
> >
> > Thank you.
>
> They are added, but once you reboot they are lost.  You'll need to
> either create a script to readd them on boot or use
> iptables-save/iptables-restore commands.
>
> James
>
>
> >
> > On Tue, Nov 29, 2016 at 9:25 AM, James Lay <jlay at ...13475...>
> > wrote:
> >
> >> On 2016-11-28 14:28, J Green wrote:
> >>> Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
> >>>
> >>> It works w/ NFQ inline.  However, if I reboot the VM, NFQ no
> >> longer
> >>> seems to work.  I do not see anything in the logs, etc.
> >>>
> >>> Here is how I am running Snort:
> >>>
> >>> snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c
> >>> /etc/snort/snort.conf &
> >>>
> >>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> >>> iptables -I FORWARD -j NFQUEUE --queue-num 1
> >>>
> >>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
> >> snort.us [1]
> >>> [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
> >>>
> >>> Any input would be appreciated.
> >>>
> >>> Thank you.
> >>>
> >>>
> >>>
> >>> Links:
> >>> ------
> >>> [1] http://snort.us
> >>>
> >>>
> >>
> > ------------------------------------------------------------
> ------------------
> >>>
> >>> _______________________________________________
> >>> Snort-users mailing list
> >>> Snort-users at lists.sourceforge.net
> >>> Go to this URL to change user options or unsubscribe:
> >>> https://lists.sourceforge.net/lists/listinfo/snort-users [2]
> >>> Snort-users list archive:
> >>>
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >> [3]
> >>>
> >>> Please visit http://blog.snort.org to stay current on all the
> >> latest
> >>> Snort news!
> >>
> >> Make sure your IP tables rules are reapplied on reboot.
> >>
> >> James
> >>
> >>
> > ------------------------------------------------------------
> ------------------
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users [2]
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >> [3]
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> >> Snort news!
> >
> >
> >
> > Links:
> > ------
> > [1] http://snort.us
> > [2] https://lists.sourceforge.net/lists/listinfo/snort-users
> > [3] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > ------------------------------------------------------------
> ------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
> ------------------------------------------------------------
> ------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161129/c4ae1882/attachment.html>


More information about the Snort-users mailing list