Snort mailing list archives
Re: Snort Inline w/ NFQ doesn't work after reboot
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 29 Nov 2016 11:51:43 -0700
On 2016-11-29 11:48, J Green wrote:
Upon reboot, I enter those (2) iptables commands manually, before running barnyard. Still does not work. Thank you. On Tue, Nov 29, 2016 at 10:41 AM, James Lay <jlay () slave-tothe-box net> wrote:On 2016-11-29 11:31, J Green wrote:Appreciate the response. Firewalld/iptables is up. Though theonlyrule I have in there is for access to the Barnyard web gui. Thought that rules for inline were added as follows? iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1 iptables -I FORWARD -j NFQUEUE --queue-num 1 I did have this more granular, only allowing specific portsthroughthe bridge, but opened it up for troubleshooting purposes. All interfaces are up and respond to pings. I know that I ammissingsomething simple. Thank you.They are added, but once you reboot they are lost. You'll need to either create a script to readd them on boot or use iptables-save/iptables-restore commands. JamesOn Tue, Nov 29, 2016 at 9:25 AM, James Lay<jlay () slave-tothe-box net>wrote:On 2016-11-28 14:28, J Green wrote:Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM). It works w/ NFQ inline. However, if I reboot the VM, NFQ nolongerseems to work. I do not see anything in the logs, etc. Here is how I am running Snort: snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c /etc/snort/snort.conf & iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1 iptables -I FORWARD -j NFQUEUE --queue-num 1 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -fsnort.us [1] [1][1] -w /var/log/snort/barnyard.waldo -g snort -u snort Any input would be appreciated. Thank you. Links: ------ [1] http://snort.us------------------------------------------------------------------------------_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users [2] [2] Snort-users list archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [3][3]Please visit http://blog.snort.org to stay current on all thelatestSnort news!Make sure your IP tables rules are reapplied on reboot. James
Sounds like you'll want to not run snort in the background for testing...if it was me I'd packet capture as well. James ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 28)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 30)
- Re: Snort Inline w/ NFQ doesn't work after reboot J Green (Nov 29)
- Re: Snort Inline w/ NFQ doesn't work after reboot James Lay (Nov 29)