[Snort-users] Snort Inline w/ NFQ doesn't work after reboot

J Green corpengineer at ...11827...
Tue Nov 29 21:56:37 EST 2016


Got it.

In addition to the modules, IP forwarding w/ sysctl does not survive
reboots.

Thank you for all the help
On Nov 29, 2016 2:14 PM, "J Green" <corpengineer at ...11827...> wrote:

> Trying to figure out what modules are required NFQ.  I added those (3)
> manually, but I am probably missing others, which are less obvious.
>
> Also, was reading about NFQ debug variable, but it errors out, think I
> have the syntax incorrect.
>
>
>
> On Tue, Nov 29, 2016 at 1:47 PM, James Lay <jlay at ...13475...>
> wrote:
>
>> On 2016-11-29 14:28, J Green wrote:
>> > Of note, the Snort portion still detects events, and seems to work.
>> >
>> > What does not work, is legitimate/permitted network access.  This
>> > leads me to believe that NFQ is the problem, and might not be loaded
>> > properly upon reboot?
>> >
>> > On Tue, Nov 29, 2016 at 12:35 PM, J Green <corpengineer at ...11827...>
>> > wrote:
>> >
>> >> Will try that.
>> >>
>> >> One thing I noticed is that the nfnetlink modules (nfnetlink,
>> >> nfnetlink_log, nfnetlink_queue) were not loaded upon reboot.
>> >>
>> >> I reinstalled them manually.  But it is still not working.
>> >>
>> >> On Tue, Nov 29, 2016 at 12:23 PM, James Lay
>> >> <jlay at ...13475...> wrote:
>> >>
>> >>> Best is to look like so:
>> >>>
>> >>> sudo iptables -nvL
>> >>> sudo iptables -t nat -nvL
>> >>>
>> >>> before and after testing...that should show you what packets went
>> >>> where.
>> >>>
>> >>> James
>> >>>
>> >>> On 2016-11-29 12:01, J Green wrote:
>> >>>> Will try that.  This seems like a firewall or NFQ issue.
>> >>>>
>> >>>> Is there a way to get debug logging out of NFQ?
>> >>>>
>> >>>> Thank you.
>> >>>>
>> >>>> On Tue, Nov 29, 2016 at 10:51 AM, James Lay
>> >>> <jlay at ...13475...>
>> >>>> wrote:
>> >>>>
>> >>>>> On 2016-11-29 11:48, J Green wrote:
>> >>>>>> Upon reboot, I enter those (2) iptables commands manually,
>> >>> before
>> >>>>>> running barnyard.
>> >>>>>>
>> >>>>>> Still does not work.
>> >>>>>>
>> >>>>>> Thank you.
>> >>>>>>
>> >>>>>> On Tue, Nov 29, 2016 at 10:41 AM, James Lay
>> >>>>> <jlay at ...13475...>
>> >>>>>> wrote:
>> >>>>>>
>> >>>>>>> On 2016-11-29 11:31, J Green wrote:
>> >>>>>>>> Appreciate the response.  Firewalld/iptables is up.  Though
>> >>> the
>> >>>>>>> only
>> >>>>>>>> rule I have in there is for access to the Barnyard web gui.
>> >>>>>>>>
>> >>>>>>>> Thought that rules for inline were added as follows?
>> >>>>>>>>
>> >>>>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
>> >>>>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
>> >>>>>>>>
>> >>>>>>>> I did have this more granular, only allowing specific ports
>> >>>>>>> through
>> >>>>>>>> the bridge, but opened it up for troubleshooting purposes.
>> >>>>>>>>
>> >>>>>>>> All interfaces are up and respond to pings.  I know that I
>> >>> am
>> >>>>>>> missing
>> >>>>>>>> something simple.
>> >>>>>>>>
>> >>>>>>>> Thank you.
>> >>>>>>>
>> >>>>>>> They are added, but once you reboot they are lost.  You'll
>> >>> need
>> >>>>> to
>> >>>>>>> either create a script to readd them on boot or use
>> >>>>>>> iptables-save/iptables-restore commands.
>> >>>>>>>
>> >>>>>>> James
>> >>>>>>>
>> >>>>>>>>
>> >>>>>>>> On Tue, Nov 29, 2016 at 9:25 AM, James Lay
>> >>>>>>> <jlay at ...13475...>
>> >>>>>>>> wrote:
>> >>>>>>>>
>> >>>>>>>>> On 2016-11-28 14:28, J Green wrote:
>> >>>>>>>>>> Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
>> >>>>>>>>>>
>> >>>>>>>>>> It works w/ NFQ inline.  However, if I reboot the VM, NFQ
>> >>> no
>> >>>>>>>>> longer
>> >>>>>>>>>> seems to work.  I do not see anything in the logs, etc.
>> >>>>>>>>>>
>> >>>>>>>>>> Here is how I am running Snort:
>> >>>>>>>>>>
>> >>>>>>>>>> snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1
>> >>> -c
>> >>>>>>>>>> /etc/snort/snort.conf &
>> >>>>>>>>>>
>> >>>>>>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
>> >>>>>>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
>> >>>>>>>>>>
>> >>>>>>>>>> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort
>> >>> -f
>> >>>>>>>>> snort.us [1] [1] [1] [1]
>> >>>>>>>>>> [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
>> >>>>>>>>>>
>> >>>>>>>>>> Any input would be appreciated.
>> >>>>>>>>>>
>> >>>>>>>>>> Thank you.
>>
>> Could be...check your mods after reboot...in my experience those have
>> been loaded automatically.
>>
>> James
>>
>> ------------------------------------------------------------
>> ------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161129/f59d959b/attachment.html>


More information about the Snort-users mailing list