Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Inline w/ NFQ doesn't work after reboot

From: J Green <corpengineer () gmail com>
Date: Tue, 29 Nov 2016 12:35:04 -0800
Will try that.

One thing I noticed is that the nfnetlink modules (nfnetlink,
nfnetlink_log, nfnetlink_queue) were not loaded upon reboot.

I reinstalled them manually.  But it is still not working.



On Tue, Nov 29, 2016 at 12:23 PM, James Lay <jlay () slave-tothe-box net>
wrote:


Best is to look like so:

sudo iptables -nvL
sudo iptables -t nat -nvL

before and after testing...that should show you what packets went where.

James

On 2016-11-29 12:01, J Green wrote:

Will try that.  This seems like a firewall or NFQ issue.

Is there a way to get debug logging out of NFQ?

Thank you.

On Tue, Nov 29, 2016 at 10:51 AM, James Lay <jlay () slave-tothe-box net>
wrote:


On 2016-11-29 11:48, J Green wrote:

Upon reboot, I enter those (2) iptables commands manually, before
running barnyard.

Still does not work.

Thank you.

On Tue, Nov 29, 2016 at 10:41 AM, James Lay

<jlay () slave-tothe-box net>

wrote:


On 2016-11-29 11:31, J Green wrote:

Appreciate the response.  Firewalld/iptables is up.  Though the

only

rule I have in there is for access to the Barnyard web gui.

Thought that rules for inline were added as follows?

iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
iptables -I FORWARD -j NFQUEUE --queue-num 1

I did have this more granular, only allowing specific ports

through

the bridge, but opened it up for troubleshooting purposes.

All interfaces are up and respond to pings.  I know that I am

missing

something simple.

Thank you.


They are added, but once you reboot they are lost.  You'll need

to

either create a script to readd them on boot or use
iptables-save/iptables-restore commands.

James



On Tue, Nov 29, 2016 at 9:25 AM, James Lay

<jlay () slave-tothe-box net>

wrote:


On 2016-11-28 14:28, J Green wrote:

Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).

It works w/ NFQ inline.  However, if I reboot the VM, NFQ no

longer

seems to work.  I do not see anything in the logs, etc.

Here is how I am running Snort:

snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1 -c
/etc/snort/snort.conf &

iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
iptables -I FORWARD -j NFQUEUE --queue-num 1

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f

snort.us [1] [1] [1]

[1] -w /var/log/snort/barnyard.waldo -g snort -u snort

Any input would be appreciated.

Thank you.



Links:
------
[1] http://snort.us













------------------------------------------------------------

------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users [2]

[2] [2]

Snort-users list archive:






http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
[3]

[3]

[3]


Please visit http://blog.snort.org to stay current on all the

latest

Snort news!


Make sure your IP tables rules are reapplied on reboot.

James



Sounds like you'll want to not run snort in the background for
testing...if it was me I'd packet capture as well.

James



------------------------------------------------------------

------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users [2]

Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
[3]

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




Links:
------
[1] http://snort.us
[2] https://lists.sourceforge.net/lists/listinfo/snort-users
[3] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

------------------------------------------------------------

------------------


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------
------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: