[Snort-users] Snort Inline w/ NFQ doesn't work after reboot

J Green corpengineer at ...11827...
Tue Nov 29 14:01:37 EST 2016


Will try that.  This seems like a firewall or NFQ issue.

Is there a way to get debug logging out of NFQ?


Thank you.

On Tue, Nov 29, 2016 at 10:51 AM, James Lay <jlay at ...13475...>
wrote:

> On 2016-11-29 11:48, J Green wrote:
> > Upon reboot, I enter those (2) iptables commands manually, before
> > running barnyard.
> >
> > Still does not work.
> >
> > Thank you.
> >
> > On Tue, Nov 29, 2016 at 10:41 AM, James Lay <jlay at ...13475...>
> > wrote:
> >
> >> On 2016-11-29 11:31, J Green wrote:
> >>> Appreciate the response.  Firewalld/iptables is up.  Though the
> >> only
> >>> rule I have in there is for access to the Barnyard web gui.
> >>>
> >>> Thought that rules for inline were added as follows?
> >>>
> >>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> >>> iptables -I FORWARD -j NFQUEUE --queue-num 1
> >>>
> >>> I did have this more granular, only allowing specific ports
> >> through
> >>> the bridge, but opened it up for troubleshooting purposes.
> >>>
> >>> All interfaces are up and respond to pings.  I know that I am
> >> missing
> >>> something simple.
> >>>
> >>> Thank you.
> >>
> >> They are added, but once you reboot they are lost.  You'll need to
> >> either create a script to readd them on boot or use
> >> iptables-save/iptables-restore commands.
> >>
> >> James
> >>
> >>>
> >>> On Tue, Nov 29, 2016 at 9:25 AM, James Lay
> >> <jlay at ...13475...>
> >>> wrote:
> >>>
> >>>> On 2016-11-28 14:28, J Green wrote:
> >>>>> Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
> >>>>>
> >>>>> It works w/ NFQ inline.  However, if I reboot the VM, NFQ no
> >>>> longer
> >>>>> seems to work.  I do not see anything in the logs, etc.
> >>>>>
> >>>>> Here is how I am running Snort:
> >>>>>
> >>>>> snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c
> >>>>> /etc/snort/snort.conf &
> >>>>>
> >>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> >>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
> >>>>>
> >>>>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
> >>>> snort.us [1] [1]
> >>>>> [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
> >>>>>
> >>>>> Any input would be appreciated.
> >>>>>
> >>>>> Thank you.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Links:
> >>>>> ------
> >>>>> [1] http://snort.us
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
> > ------------------------------------------------------------
> ------------------
> >>>>>
> >>>>> _______________________________________________
> >>>>> Snort-users mailing list
> >>>>> Snort-users at lists.sourceforge.net
> >>>>> Go to this URL to change user options or unsubscribe:
> >>>>> https://lists.sourceforge.net/lists/listinfo/snort-users [2] [2]
> >>>>> Snort-users list archive:
> >>>>>
> >>>>
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >> [3]
> >>>> [3]
> >>>>>
> >>>>> Please visit http://blog.snort.org to stay current on all the
> >>>> latest
> >>>>> Snort news!
> >>>>
> >>>> Make sure your IP tables rules are reapplied on reboot.
> >>>>
> >>>> James
> >>>>
>
> Sounds like you'll want to not run snort in the background for
> testing...if it was me I'd packet capture as well.
>
> James
>
> ------------------------------------------------------------
> ------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161129/fd1c908f/attachment.html>


More information about the Snort-users mailing list