[Snort-users] Snort Inline w/ NFQ doesn't work after reboot

James Lay jlay at ...13475...
Tue Nov 29 13:51:43 EST 2016


On 2016-11-29 11:48, J Green wrote:
> Upon reboot, I enter those (2) iptables commands manually, before
> running barnyard.
> 
> Still does not work.
> 
> Thank you.
> 
> On Tue, Nov 29, 2016 at 10:41 AM, James Lay <jlay at ...13475...>
> wrote:
> 
>> On 2016-11-29 11:31, J Green wrote:
>>> Appreciate the response.  Firewalld/iptables is up.  Though the
>> only
>>> rule I have in there is for access to the Barnyard web gui.
>>> 
>>> Thought that rules for inline were added as follows?
>>> 
>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
>>> 
>>> I did have this more granular, only allowing specific ports
>> through
>>> the bridge, but opened it up for troubleshooting purposes.
>>> 
>>> All interfaces are up and respond to pings.  I know that I am
>> missing
>>> something simple.
>>> 
>>> Thank you.
>> 
>> They are added, but once you reboot they are lost.  You'll need to
>> either create a script to readd them on boot or use
>> iptables-save/iptables-restore commands.
>> 
>> James
>> 
>>> 
>>> On Tue, Nov 29, 2016 at 9:25 AM, James Lay
>> <jlay at ...13475...>
>>> wrote:
>>> 
>>>> On 2016-11-28 14:28, J Green wrote:
>>>>> Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
>>>>> 
>>>>> It works w/ NFQ inline.  However, if I reboot the VM, NFQ no
>>>> longer
>>>>> seems to work.  I do not see anything in the logs, etc.
>>>>> 
>>>>> Here is how I am running Snort:
>>>>> 
>>>>> snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c
>>>>> /etc/snort/snort.conf &
>>>>> 
>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
>>>>> 
>>>>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
>>>> snort.us [1] [1]
>>>>> [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
>>>>> 
>>>>> Any input would be appreciated.
>>>>> 
>>>>> Thank you.
>>>>> 
>>>>> 
>>>>> 
>>>>> Links:
>>>>> ------
>>>>> [1] http://snort.us
>>>>> 
>>>>> 
>>>> 
>>> 
>> 
> ------------------------------------------------------------------------------
>>>>> 
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users [2] [2]
>>>>> Snort-users list archive:
>>>>> 
>>>> 
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> [3]
>>>> [3]
>>>>> 
>>>>> Please visit http://blog.snort.org to stay current on all the
>>>> latest
>>>>> Snort news!
>>>> 
>>>> Make sure your IP tables rules are reapplied on reboot.
>>>> 
>>>> James
>>>> 

Sounds like you'll want to not run snort in the background for 
testing...if it was me I'd packet capture as well.

James




More information about the Snort-users mailing list