[Snort-users] Snort Inline w/ NFQ doesn't work after reboot

J Green corpengineer at ...11827...
Tue Nov 29 17:14:08 EST 2016


Trying to figure out what modules are required NFQ.  I added those (3)
manually, but I am probably missing others, which are less obvious.

Also, was reading about NFQ debug variable, but it errors out, think I have
the syntax incorrect.



On Tue, Nov 29, 2016 at 1:47 PM, James Lay <jlay at ...13475...> wrote:

> On 2016-11-29 14:28, J Green wrote:
> > Of note, the Snort portion still detects events, and seems to work.
> >
> > What does not work, is legitimate/permitted network access.  This
> > leads me to believe that NFQ is the problem, and might not be loaded
> > properly upon reboot?
> >
> > On Tue, Nov 29, 2016 at 12:35 PM, J Green <corpengineer at ...11827...>
> > wrote:
> >
> >> Will try that.
> >>
> >> One thing I noticed is that the nfnetlink modules (nfnetlink,
> >> nfnetlink_log, nfnetlink_queue) were not loaded upon reboot.
> >>
> >> I reinstalled them manually.  But it is still not working.
> >>
> >> On Tue, Nov 29, 2016 at 12:23 PM, James Lay
> >> <jlay at ...13475...> wrote:
> >>
> >>> Best is to look like so:
> >>>
> >>> sudo iptables -nvL
> >>> sudo iptables -t nat -nvL
> >>>
> >>> before and after testing...that should show you what packets went
> >>> where.
> >>>
> >>> James
> >>>
> >>> On 2016-11-29 12:01, J Green wrote:
> >>>> Will try that.  This seems like a firewall or NFQ issue.
> >>>>
> >>>> Is there a way to get debug logging out of NFQ?
> >>>>
> >>>> Thank you.
> >>>>
> >>>> On Tue, Nov 29, 2016 at 10:51 AM, James Lay
> >>> <jlay at ...13475...>
> >>>> wrote:
> >>>>
> >>>>> On 2016-11-29 11:48, J Green wrote:
> >>>>>> Upon reboot, I enter those (2) iptables commands manually,
> >>> before
> >>>>>> running barnyard.
> >>>>>>
> >>>>>> Still does not work.
> >>>>>>
> >>>>>> Thank you.
> >>>>>>
> >>>>>> On Tue, Nov 29, 2016 at 10:41 AM, James Lay
> >>>>> <jlay at ...13475...>
> >>>>>> wrote:
> >>>>>>
> >>>>>>> On 2016-11-29 11:31, J Green wrote:
> >>>>>>>> Appreciate the response.  Firewalld/iptables is up.  Though
> >>> the
> >>>>>>> only
> >>>>>>>> rule I have in there is for access to the Barnyard web gui.
> >>>>>>>>
> >>>>>>>> Thought that rules for inline were added as follows?
> >>>>>>>>
> >>>>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> >>>>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
> >>>>>>>>
> >>>>>>>> I did have this more granular, only allowing specific ports
> >>>>>>> through
> >>>>>>>> the bridge, but opened it up for troubleshooting purposes.
> >>>>>>>>
> >>>>>>>> All interfaces are up and respond to pings.  I know that I
> >>> am
> >>>>>>> missing
> >>>>>>>> something simple.
> >>>>>>>>
> >>>>>>>> Thank you.
> >>>>>>>
> >>>>>>> They are added, but once you reboot they are lost.  You'll
> >>> need
> >>>>> to
> >>>>>>> either create a script to readd them on boot or use
> >>>>>>> iptables-save/iptables-restore commands.
> >>>>>>>
> >>>>>>> James
> >>>>>>>
> >>>>>>>>
> >>>>>>>> On Tue, Nov 29, 2016 at 9:25 AM, James Lay
> >>>>>>> <jlay at ...13475...>
> >>>>>>>> wrote:
> >>>>>>>>
> >>>>>>>>> On 2016-11-28 14:28, J Green wrote:
> >>>>>>>>>> Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
> >>>>>>>>>>
> >>>>>>>>>> It works w/ NFQ inline.  However, if I reboot the VM, NFQ
> >>> no
> >>>>>>>>> longer
> >>>>>>>>>> seems to work.  I do not see anything in the logs, etc.
> >>>>>>>>>>
> >>>>>>>>>> Here is how I am running Snort:
> >>>>>>>>>>
> >>>>>>>>>> snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1
> >>> -c
> >>>>>>>>>> /etc/snort/snort.conf &
> >>>>>>>>>>
> >>>>>>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> >>>>>>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
> >>>>>>>>>>
> >>>>>>>>>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort
> >>> -f
> >>>>>>>>> snort.us [1] [1] [1] [1]
> >>>>>>>>>> [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
> >>>>>>>>>>
> >>>>>>>>>> Any input would be appreciated.
> >>>>>>>>>>
> >>>>>>>>>> Thank you.
>
> Could be...check your mods after reboot...in my experience those have
> been loaded automatically.
>
> James
>
> ------------------------------------------------------------
> ------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161129/582e34d7/attachment.html>


More information about the Snort-users mailing list