[Snort-users] Snort Inline w/ NFQ doesn't work after reboot

James Lay jlay at ...13475...
Tue Nov 29 16:47:05 EST 2016


On 2016-11-29 14:28, J Green wrote:
> Of note, the Snort portion still detects events, and seems to work.
> 
> What does not work, is legitimate/permitted network access.  This
> leads me to believe that NFQ is the problem, and might not be loaded
> properly upon reboot?
> 
> On Tue, Nov 29, 2016 at 12:35 PM, J Green <corpengineer at ...11827...>
> wrote:
> 
>> Will try that.
>> 
>> One thing I noticed is that the nfnetlink modules (nfnetlink,
>> nfnetlink_log, nfnetlink_queue) were not loaded upon reboot.
>> 
>> I reinstalled them manually.  But it is still not working.
>> 
>> On Tue, Nov 29, 2016 at 12:23 PM, James Lay
>> <jlay at ...13475...> wrote:
>> 
>>> Best is to look like so:
>>> 
>>> sudo iptables -nvL
>>> sudo iptables -t nat -nvL
>>> 
>>> before and after testing...that should show you what packets went
>>> where.
>>> 
>>> James
>>> 
>>> On 2016-11-29 12:01, J Green wrote:
>>>> Will try that.  This seems like a firewall or NFQ issue.
>>>> 
>>>> Is there a way to get debug logging out of NFQ?
>>>> 
>>>> Thank you.
>>>> 
>>>> On Tue, Nov 29, 2016 at 10:51 AM, James Lay
>>> <jlay at ...13475...>
>>>> wrote:
>>>> 
>>>>> On 2016-11-29 11:48, J Green wrote:
>>>>>> Upon reboot, I enter those (2) iptables commands manually,
>>> before
>>>>>> running barnyard.
>>>>>> 
>>>>>> Still does not work.
>>>>>> 
>>>>>> Thank you.
>>>>>> 
>>>>>> On Tue, Nov 29, 2016 at 10:41 AM, James Lay
>>>>> <jlay at ...13475...>
>>>>>> wrote:
>>>>>> 
>>>>>>> On 2016-11-29 11:31, J Green wrote:
>>>>>>>> Appreciate the response.  Firewalld/iptables is up.  Though
>>> the
>>>>>>> only
>>>>>>>> rule I have in there is for access to the Barnyard web gui.
>>>>>>>> 
>>>>>>>> Thought that rules for inline were added as follows?
>>>>>>>> 
>>>>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
>>>>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
>>>>>>>> 
>>>>>>>> I did have this more granular, only allowing specific ports
>>>>>>> through
>>>>>>>> the bridge, but opened it up for troubleshooting purposes.
>>>>>>>> 
>>>>>>>> All interfaces are up and respond to pings.  I know that I
>>> am
>>>>>>> missing
>>>>>>>> something simple.
>>>>>>>> 
>>>>>>>> Thank you.
>>>>>>> 
>>>>>>> They are added, but once you reboot they are lost.  You'll
>>> need
>>>>> to
>>>>>>> either create a script to readd them on boot or use
>>>>>>> iptables-save/iptables-restore commands.
>>>>>>> 
>>>>>>> James
>>>>>>> 
>>>>>>>> 
>>>>>>>> On Tue, Nov 29, 2016 at 9:25 AM, James Lay
>>>>>>> <jlay at ...13475...>
>>>>>>>> wrote:
>>>>>>>> 
>>>>>>>>> On 2016-11-28 14:28, J Green wrote:
>>>>>>>>>> Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
>>>>>>>>>> 
>>>>>>>>>> It works w/ NFQ inline.  However, if I reboot the VM, NFQ
>>> no
>>>>>>>>> longer
>>>>>>>>>> seems to work.  I do not see anything in the logs, etc.
>>>>>>>>>> 
>>>>>>>>>> Here is how I am running Snort:
>>>>>>>>>> 
>>>>>>>>>> snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1
>>> -c
>>>>>>>>>> /etc/snort/snort.conf &
>>>>>>>>>> 
>>>>>>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
>>>>>>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
>>>>>>>>>> 
>>>>>>>>>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort
>>> -f
>>>>>>>>> snort.us [1] [1] [1] [1]
>>>>>>>>>> [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
>>>>>>>>>> 
>>>>>>>>>> Any input would be appreciated.
>>>>>>>>>> 
>>>>>>>>>> Thank you.

Could be...check your mods after reboot...in my experience those have 
been loaded automatically.

James




More information about the Snort-users mailing list