[Snort-users] Snort Inline w/ NFQ doesn't work after reboot

J Green corpengineer at ...11827...
Tue Nov 29 15:35:04 EST 2016


Will try that.

One thing I noticed is that the nfnetlink modules (nfnetlink,
nfnetlink_log, nfnetlink_queue) were not loaded upon reboot.

I reinstalled them manually.  But it is still not working.



On Tue, Nov 29, 2016 at 12:23 PM, James Lay <jlay at ...13475...>
wrote:

> Best is to look like so:
>
> sudo iptables -nvL
> sudo iptables -t nat -nvL
>
> before and after testing...that should show you what packets went where.
>
> James
>
> On 2016-11-29 12:01, J Green wrote:
> > Will try that.  This seems like a firewall or NFQ issue.
> >
> > Is there a way to get debug logging out of NFQ?
> >
> > Thank you.
> >
> > On Tue, Nov 29, 2016 at 10:51 AM, James Lay <jlay at ...13475...>
> > wrote:
> >
> >> On 2016-11-29 11:48, J Green wrote:
> >>> Upon reboot, I enter those (2) iptables commands manually, before
> >>> running barnyard.
> >>>
> >>> Still does not work.
> >>>
> >>> Thank you.
> >>>
> >>> On Tue, Nov 29, 2016 at 10:41 AM, James Lay
> >> <jlay at ...13475...>
> >>> wrote:
> >>>
> >>>> On 2016-11-29 11:31, J Green wrote:
> >>>>> Appreciate the response.  Firewalld/iptables is up.  Though the
> >>>> only
> >>>>> rule I have in there is for access to the Barnyard web gui.
> >>>>>
> >>>>> Thought that rules for inline were added as follows?
> >>>>>
> >>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> >>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
> >>>>>
> >>>>> I did have this more granular, only allowing specific ports
> >>>> through
> >>>>> the bridge, but opened it up for troubleshooting purposes.
> >>>>>
> >>>>> All interfaces are up and respond to pings.  I know that I am
> >>>> missing
> >>>>> something simple.
> >>>>>
> >>>>> Thank you.
> >>>>
> >>>> They are added, but once you reboot they are lost.  You'll need
> >> to
> >>>> either create a script to readd them on boot or use
> >>>> iptables-save/iptables-restore commands.
> >>>>
> >>>> James
> >>>>
> >>>>>
> >>>>> On Tue, Nov 29, 2016 at 9:25 AM, James Lay
> >>>> <jlay at ...13475...>
> >>>>> wrote:
> >>>>>
> >>>>>> On 2016-11-28 14:28, J Green wrote:
> >>>>>>> Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
> >>>>>>>
> >>>>>>> It works w/ NFQ inline.  However, if I reboot the VM, NFQ no
> >>>>>> longer
> >>>>>>> seems to work.  I do not see anything in the logs, etc.
> >>>>>>>
> >>>>>>> Here is how I am running Snort:
> >>>>>>>
> >>>>>>> snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c
> >>>>>>> /etc/snort/snort.conf &
> >>>>>>>
> >>>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> >>>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
> >>>>>>>
> >>>>>>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
> >>>>>> snort.us [1] [1] [1]
> >>>>>>> [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
> >>>>>>>
> >>>>>>> Any input would be appreciated.
> >>>>>>>
> >>>>>>> Thank you.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Links:
> >>>>>>> ------
> >>>>>>> [1] http://snort.us
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>
> >>
> > ------------------------------------------------------------
> ------------------
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Snort-users mailing list
> >>>>>>> Snort-users at lists.sourceforge.net
> >>>>>>> Go to this URL to change user options or unsubscribe:
> >>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users [2]
> >> [2] [2]
> >>>>>>> Snort-users list archive:
> >>>>>>>
> >>>>>>
> >>>>
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >> [3]
> >>>> [3]
> >>>>>> [3]
> >>>>>>>
> >>>>>>> Please visit http://blog.snort.org to stay current on all the
> >>>>>> latest
> >>>>>>> Snort news!
> >>>>>>
> >>>>>> Make sure your IP tables rules are reapplied on reboot.
> >>>>>>
> >>>>>> James
> >>>>>>
> >>
> >> Sounds like you'll want to not run snort in the background for
> >> testing...if it was me I'd packet capture as well.
> >>
> >> James
> >>
> >>
> > ------------------------------------------------------------
> ------------------
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users [2]
> >>
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >> [3]
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> >> Snort news!
> >
> >
> >
> > Links:
> > ------
> > [1] http://snort.us
> > [2] https://lists.sourceforge.net/lists/listinfo/snort-users
> > [3] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > ------------------------------------------------------------
> ------------------
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
> ------------------------------------------------------------
> ------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161129/578b2b34/attachment.html>


More information about the Snort-users mailing list