[Snort-users] Snort Inline w/ NFQ doesn't work after reboot

James Lay jlay at ...13475...
Wed Nov 30 05:51:03 EST 2016


Excellent work!
James
On Tue, 2016-11-29 at 18:56 -0800, J Green wrote:
> Got it. 
> In addition to the modules, IP forwarding w/ sysctl does not survive
> reboots.
> Thank you for all the help
> On Nov 29, 2016 2:14 PM, "J Green" <corpengineer at ...11827...> wrote:
> > Trying to figure out what modules are required NFQ.  I added those
> > (3) manually, but I am probably missing others, which are less
> > obvious.
> > 
> > Also, was reading about NFQ debug variable, but it errors out,
> > think I have the syntax incorrect.
> > 
> > 
> > 
> > On Tue, Nov 29, 2016 at 1:47 PM, James Lay 
> > t> wrote:
> > > On 2016-11-29 14:28, J Green wrote:
> > > > Of note, the Snort portion still detects events, and seems to
> > > work.
> > > >
> > > > What does not work, is legitimate/permitted network access. 
> > > This
> > > > leads me to believe that NFQ is the problem, and might not be
> > > loaded
> > > > properly upon reboot?
> > > >
> > > > On Tue, Nov 29, 2016 at 12:35 PM, J Green 
> > > om>
> > > > wrote:
> > > >
> > > >> Will try that.
> > > >>
> > > >> One thing I noticed is that the nfnetlink modules (nfnetlink,
> > > >> nfnetlink_log, nfnetlink_queue) were not loaded upon reboot.
> > > >>
> > > >> I reinstalled them manually.  But it is still not working.
> > > >>
> > > >> On Tue, Nov 29, 2016 at 12:23 PM, James Lay
> > > >> <jlay at ...13475...> wrote:
> > > >>
> > > >>> Best is to look like so:
> > > >>>
> > > >>> sudo iptables -nvL
> > > >>> sudo iptables -t nat -nvL
> > > >>>
> > > >>> before and after testing...that should show you what packets
> > > went
> > > >>> where.
> > > >>>
> > > >>> James
> > > >>>
> > > >>> On 2016-11-29 12:01, J Green wrote:
> > > >>>> Will try that.  This seems like a firewall or NFQ issue.
> > > >>>>
> > > >>>> Is there a way to get debug logging out of NFQ?
> > > >>>>
> > > >>>> Thank you.
> > > >>>>
> > > >>>> On Tue, Nov 29, 2016 at 10:51 AM, James Lay
> > > >>> <jlay at ...13475...>
> > > >>>> wrote:
> > > >>>>
> > > >>>>> On 2016-11-29 11:48, J Green wrote:
> > > >>>>>> Upon reboot, I enter those (2) iptables commands manually,
> > > >>> before
> > > >>>>>> running barnyard.
> > > >>>>>>
> > > >>>>>> Still does not work.
> > > >>>>>>
> > > >>>>>> Thank you.
> > > >>>>>>
> > > >>>>>> On Tue, Nov 29, 2016 at 10:41 AM, James Lay
> > > >>>>> <jlay at ...13475...>
> > > >>>>>> wrote:
> > > >>>>>>
> > > >>>>>>> On 2016-11-29 11:31, J Green wrote:
> > > >>>>>>>> Appreciate the response.  Firewalld/iptables is up. 
> > > Though
> > > >>> the
> > > >>>>>>> only
> > > >>>>>>>> rule I have in there is for access to the Barnyard web
> > > gui.
> > > >>>>>>>>
> > > >>>>>>>> Thought that rules for inline were added as follows?
> > > >>>>>>>>
> > > >>>>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> > > >>>>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
> > > >>>>>>>>
> > > >>>>>>>> I did have this more granular, only allowing specific
> > > ports
> > > >>>>>>> through
> > > >>>>>>>> the bridge, but opened it up for troubleshooting
> > > purposes.
> > > >>>>>>>>
> > > >>>>>>>> All interfaces are up and respond to pings.  I know that
> > > I
> > > >>> am
> > > >>>>>>> missing
> > > >>>>>>>> something simple.
> > > >>>>>>>>
> > > >>>>>>>> Thank you.
> > > >>>>>>>
> > > >>>>>>> They are added, but once you reboot they are lost. 
> > > You'll
> > > >>> need
> > > >>>>> to
> > > >>>>>>> either create a script to readd them on boot or use
> > > >>>>>>> iptables-save/iptables-restore commands.
> > > >>>>>>>
> > > >>>>>>> James
> > > >>>>>>>
> > > >>>>>>>>
> > > >>>>>>>> On Tue, Nov 29, 2016 at 9:25 AM, James Lay
> > > >>>>>>> <jlay at ...13475...>
> > > >>>>>>>> wrote:
> > > >>>>>>>>
> > > >>>>>>>>> On 2016-11-28 14:28, J Green wrote:
> > > >>>>>>>>>> Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
> > > >>>>>>>>>>
> > > >>>>>>>>>> It works w/ NFQ inline.  However, if I reboot the VM,
> > > NFQ
> > > >>> no
> > > >>>>>>>>> longer
> > > >>>>>>>>>> seems to work.  I do not see anything in the logs,
> > > etc.
> > > >>>>>>>>>>
> > > >>>>>>>>>> Here is how I am running Snort:
> > > >>>>>>>>>>
> > > >>>>>>>>>> snort -Q --daq nfq --daq-var device=eth0 --daq-var
> > > queue=1
> > > >>> -c
> > > >>>>>>>>>> /etc/snort/snort.conf &
> > > >>>>>>>>>>
> > > >>>>>>>>>> iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> > > >>>>>>>>>> iptables -I FORWARD -j NFQUEUE --queue-num 1
> > > >>>>>>>>>>
> > > >>>>>>>>>> barnyard2 -c /etc/snort/barnyard2.conf -d
> > > /var/log/snort
> > > >>> -f
> > > >>>>>>>>> snort.us [1] [1] [1] [1]
> > > >>>>>>>>>> [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
> > > >>>>>>>>>>
> > > >>>>>>>>>> Any input would be appreciated.
> > > >>>>>>>>>>
> > > >>>>>>>>>> Thank you.
> > > 
> > > Could be...check your mods after reboot...in my experience those
> > > have
> > > been loaded automatically.
> > > 
> > > James
> > > 
> > > ---------------------------------------------------------------
> > > ---------------
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-use
> > > rs
> > > 
> > > Please visit http://blog.snort.org to stay current on all the
> > > latest Snort news!
> > > 
> > 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161130/f8cb849a/attachment.html>


More information about the Snort-users mailing list