[Snort-users] Snort Inline w/ NFQ doesn't work after reboot

J Green corpengineer at ...11827...
Tue Nov 29 16:28:57 EST 2016


Of note, the Snort portion still detects events, and seems to work.

What does not work, is legitimate/permitted network access.  This leads me
to believe that NFQ is the problem, and might not be loaded properly upon
reboot?


On Tue, Nov 29, 2016 at 12:35 PM, J Green <corpengineer at ...11827...> wrote:

> Will try that.
>
> One thing I noticed is that the nfnetlink modules (nfnetlink,
> nfnetlink_log, nfnetlink_queue) were not loaded upon reboot.
>
> I reinstalled them manually.  But it is still not working.
>
>
>
> On Tue, Nov 29, 2016 at 12:23 PM, James Lay <jlay at ...13475...>
> wrote:
>
>> Best is to look like so:
>>
>> sudo iptables -nvL
>> sudo iptables -t nat -nvL
>>
>> before and after testing...that should show you what packets went where.
>>
>> James
>>
>> On 2016-11-29 12:01, J Green wrote:
>> > Will try that.  This seems like a firewall or NFQ issue.
>> >
>> > Is there a way to get debug logging out of NFQ?
>> >
>> > Thank you.
>> >
>> > On Tue, Nov 29, 2016 at 10:51 AM, James Lay <jlay at ...13475...>
>> > wrote:
>> >
>> >> On 2016-11-29 11:48, J Green wrote:
>> >>> Upon reboot, I enter those (2) iptables commands manually, before
>> >>> running barnyard.
>> >>>
>> >>> Still does not work.
>> >>>
>> >>> Thank you.
>> >>>
>> >>> On Tue, Nov 29, 2016 at 10:41 AM, James Lay
>> >> <jlay at ...13475...>
>> >>> wrote:
>> >>>
>> >>>> On 2016-11-29 11:31, J Green wrote:
>> >>>>> Appreciate the response.  Firewalld/iptables is up.  Though the
>> >>>> only
>> >>>>> rule I have in there is for access to the Barnyard web gui.
>> >>>>>
>> >>>>> Thought that rules for inline were added as follows?
>> >>>>>
>> >>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
>> >>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
>> >>>>>
>> >>>>> I did have this more granular, only allowing specific ports
>> >>>> through
>> >>>>> the bridge, but opened it up for troubleshooting purposes.
>> >>>>>
>> >>>>> All interfaces are up and respond to pings.  I know that I am
>> >>>> missing
>> >>>>> something simple.
>> >>>>>
>> >>>>> Thank you.
>> >>>>
>> >>>> They are added, but once you reboot they are lost.  You'll need
>> >> to
>> >>>> either create a script to readd them on boot or use
>> >>>> iptables-save/iptables-restore commands.
>> >>>>
>> >>>> James
>> >>>>
>> >>>>>
>> >>>>> On Tue, Nov 29, 2016 at 9:25 AM, James Lay
>> >>>> <jlay at ...13475...>
>> >>>>> wrote:
>> >>>>>
>> >>>>>> On 2016-11-28 14:28, J Green wrote:
>> >>>>>>> Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
>> >>>>>>>
>> >>>>>>> It works w/ NFQ inline.  However, if I reboot the VM, NFQ no
>> >>>>>> longer
>> >>>>>>> seems to work.  I do not see anything in the logs, etc.
>> >>>>>>>
>> >>>>>>> Here is how I am running Snort:
>> >>>>>>>
>> >>>>>>> snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c
>> >>>>>>> /etc/snort/snort.conf &
>> >>>>>>>
>> >>>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
>> >>>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
>> >>>>>>>
>> >>>>>>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f
>> >>>>>> snort.us [1] [1] [1]
>> >>>>>>> [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
>> >>>>>>>
>> >>>>>>> Any input would be appreciated.
>> >>>>>>>
>> >>>>>>> Thank you.
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> Links:
>> >>>>>>> ------
>> >>>>>>> [1] http://snort.us
>> >>>>>>>
>> >>>>>>>
>> >>>>>>
>> >>>>>
>> >>>>
>> >>>
>> >>
>> > ------------------------------------------------------------
>> ------------------
>> >>>>>>>
>> >>>>>>> _______________________________________________
>> >>>>>>> Snort-users mailing list
>> >>>>>>> Snort-users at lists.sourceforge.net
>> >>>>>>> Go to this URL to change user options or unsubscribe:
>> >>>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users [2]
>> >> [2] [2]
>> >>>>>>> Snort-users list archive:
>> >>>>>>>
>> >>>>>>
>> >>>>
>> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >> [3]
>> >>>> [3]
>> >>>>>> [3]
>> >>>>>>>
>> >>>>>>> Please visit http://blog.snort.org to stay current on all the
>> >>>>>> latest
>> >>>>>>> Snort news!
>> >>>>>>
>> >>>>>> Make sure your IP tables rules are reapplied on reboot.
>> >>>>>>
>> >>>>>> James
>> >>>>>>
>> >>
>> >> Sounds like you'll want to not run snort in the background for
>> >> testing...if it was me I'd packet capture as well.
>> >>
>> >> James
>> >>
>> >>
>> > ------------------------------------------------------------
>> ------------------
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users [2]
>> >>
>> >> Snort-users list archive:
>> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >> [3]
>> >>
>> >> Please visit http://blog.snort.org to stay current on all the latest
>> >> Snort news!
>> >
>> >
>> >
>> > Links:
>> > ------
>> > [1] http://snort.us
>> > [2] https://lists.sourceforge.net/lists/listinfo/snort-users
>> > [3] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > ------------------------------------------------------------
>> ------------------
>> >
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> > Snort news!
>>
>> ------------------------------------------------------------
>> ------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161129/021dfec6/attachment.html>


More information about the Snort-users mailing list