[Snort-users] Snort Inline w/ NFQ doesn't work after reboot

James Lay jlay at ...13475...
Tue Nov 29 15:23:20 EST 2016


Best is to look like so:

sudo iptables -nvL
sudo iptables -t nat -nvL

before and after testing...that should show you what packets went where.

James

On 2016-11-29 12:01, J Green wrote:
> Will try that.  This seems like a firewall or NFQ issue.
> 
> Is there a way to get debug logging out of NFQ?
> 
> Thank you.
> 
> On Tue, Nov 29, 2016 at 10:51 AM, James Lay <jlay at ...13475...>
> wrote:
> 
>> On 2016-11-29 11:48, J Green wrote:
>>> Upon reboot, I enter those (2) iptables commands manually, before
>>> running barnyard.
>>> 
>>> Still does not work.
>>> 
>>> Thank you.
>>> 
>>> On Tue, Nov 29, 2016 at 10:41 AM, James Lay
>> <jlay at ...13475...>
>>> wrote:
>>> 
>>>> On 2016-11-29 11:31, J Green wrote:
>>>>> Appreciate the response.  Firewalld/iptables is up.  Though the
>>>> only
>>>>> rule I have in there is for access to the Barnyard web gui.
>>>>> 
>>>>> Thought that rules for inline were added as follows?
>>>>> 
>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
>>>>> 
>>>>> I did have this more granular, only allowing specific ports
>>>> through
>>>>> the bridge, but opened it up for troubleshooting purposes.
>>>>> 
>>>>> All interfaces are up and respond to pings.  I know that I am
>>>> missing
>>>>> something simple.
>>>>> 
>>>>> Thank you.
>>>> 
>>>> They are added, but once you reboot they are lost.  You'll need
>> to
>>>> either create a script to readd them on boot or use
>>>> iptables-save/iptables-restore commands.
>>>> 
>>>> James
>>>> 
>>>>> 
>>>>> On Tue, Nov 29, 2016 at 9:25 AM, James Lay
>>>> <jlay at ...13475...>
>>>>> wrote:
>>>>> 
>>>>>> On 2016-11-28 14:28, J Green wrote:
>>>>>>> Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
>>>>>>> 
>>>>>>> It works w/ NFQ inline.  However, if I reboot the VM, NFQ no
>>>>>> longer
>>>>>>> seems to work.  I do not see anything in the logs, etc.
>>>>>>> 
>>>>>>> Here is how I am running Snort:
>>>>>>> 
>>>>>>> snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c
>>>>>>> /etc/snort/snort.conf &
>>>>>>> 
>>>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
>>>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
>>>>>>> 
>>>>>>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
>>>>>> snort.us [1] [1] [1]
>>>>>>> [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
>>>>>>> 
>>>>>>> Any input would be appreciated.
>>>>>>> 
>>>>>>> Thank you.
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Links:
>>>>>>> ------
>>>>>>> [1] http://snort.us
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>> 
>> 
> ------------------------------------------------------------------------------
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> Snort-users mailing list
>>>>>>> Snort-users at lists.sourceforge.net
>>>>>>> Go to this URL to change user options or unsubscribe:
>>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users [2]
>> [2] [2]
>>>>>>> Snort-users list archive:
>>>>>>> 
>>>>>> 
>>>> 
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> [3]
>>>> [3]
>>>>>> [3]
>>>>>>> 
>>>>>>> Please visit http://blog.snort.org to stay current on all the
>>>>>> latest
>>>>>>> Snort news!
>>>>>> 
>>>>>> Make sure your IP tables rules are reapplied on reboot.
>>>>>> 
>>>>>> James
>>>>>> 
>> 
>> Sounds like you'll want to not run snort in the background for
>> testing...if it was me I'd packet capture as well.
>> 
>> James
>> 
>> 
> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users [2]
>> 
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> [3]
>> 
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
> 
> 
> 
> Links:
> ------
> [1] http://snort.us
> [2] https://lists.sourceforge.net/lists/listinfo/snort-users
> [3] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!




More information about the Snort-users mailing list