Snort mailing list archives
Re: Snort Inline w/ NFQ doesn't work after reboot
From: J Green <corpengineer () gmail com>
Date: Tue, 29 Nov 2016 18:56:37 -0800
Got it. In addition to the modules, IP forwarding w/ sysctl does not survive reboots. Thank you for all the help On Nov 29, 2016 2:14 PM, "J Green" <corpengineer () gmail com> wrote:
Trying to figure out what modules are required NFQ. I added those (3) manually, but I am probably missing others, which are less obvious. Also, was reading about NFQ debug variable, but it errors out, think I have the syntax incorrect. On Tue, Nov 29, 2016 at 1:47 PM, James Lay <jlay () slave-tothe-box net> wrote:On 2016-11-29 14:28, J Green wrote:Of note, the Snort portion still detects events, and seems to work. What does not work, is legitimate/permitted network access. This leads me to believe that NFQ is the problem, and might not be loaded properly upon reboot? On Tue, Nov 29, 2016 at 12:35 PM, J Green <corpengineer () gmail com> wrote:Will try that. One thing I noticed is that the nfnetlink modules (nfnetlink, nfnetlink_log, nfnetlink_queue) were not loaded upon reboot. I reinstalled them manually. But it is still not working. On Tue, Nov 29, 2016 at 12:23 PM, James Lay <jlay () slave-tothe-box net> wrote:Best is to look like so: sudo iptables -nvL sudo iptables -t nat -nvL before and after testing...that should show you what packets went where. James On 2016-11-29 12:01, J Green wrote:Will try that. This seems like a firewall or NFQ issue. Is there a way to get debug logging out of NFQ? Thank you. On Tue, Nov 29, 2016 at 10:51 AM, James Lay<jlay () slave-tothe-box net>wrote:On 2016-11-29 11:48, J Green wrote:Upon reboot, I enter those (2) iptables commands manually,beforerunning barnyard. Still does not work. Thank you. On Tue, Nov 29, 2016 at 10:41 AM, James Lay<jlay () slave-tothe-box net>wrote:On 2016-11-29 11:31, J Green wrote:Appreciate the response. Firewalld/iptables is up. Thoughtheonlyrule I have in there is for access to the Barnyard web gui. Thought that rules for inline were added as follows? iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1 iptables -I FORWARD -j NFQUEUE --queue-num 1 I did have this more granular, only allowing specific portsthroughthe bridge, but opened it up for troubleshooting purposes. All interfaces are up and respond to pings. I know that Iammissingsomething simple. Thank you.They are added, but once you reboot they are lost. You'llneedtoeither create a script to readd them on boot or use iptables-save/iptables-restore commands. JamesOn Tue, Nov 29, 2016 at 9:25 AM, James Lay<jlay () slave-tothe-box net>wrote:On 2016-11-28 14:28, J Green wrote:Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM). It works w/ NFQ inline. However, if I reboot the VM, NFQnolongerseems to work. I do not see anything in the logs, etc. Here is how I am running Snort: snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1-c/etc/snort/snort.conf & iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1 iptables -I FORWARD -j NFQUEUE --queue-num 1 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort-fsnort.us [1] [1] [1] [1][1] -w /var/log/snort/barnyard.waldo -g snort -u snort Any input would be appreciated. Thank you.Could be...check your mods after reboot...in my experience those have been loaded automatically. James ------------------------------------------------------------ ------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort Inline w/ NFQ doesn't work after reboot, (continued)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 30)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)