Re: Snort Inline w/ NFQ doesn't work after reboot

[J Green <corpengineer () gmail com>]

Got it.

In addition to the modules, IP forwarding w/ sysctl does not survive
reboots.

Thank you for all the help
On Nov 29, 2016 2:14 PM, "J Green" <corpengineer () gmail com> wrote:

> Trying to figure out what modules are required NFQ.  I added those (3)
> manually, but I am probably missing others, which are less obvious.
>
> Also, was reading about NFQ debug variable, but it errors out, think I
> have the syntax incorrect.
>
>
>
> On Tue, Nov 29, 2016 at 1:47 PM, James Lay <jlay () slave-tothe-box net>
> wrote:
>
> > On 2016-11-29 14:28, J Green wrote:
> > > Of note, the Snort portion still detects events, and seems to work.
> > >
> > > What does not work, is legitimate/permitted network access.  This
> > > leads me to believe that NFQ is the problem, and might not be loaded
> > > properly upon reboot?
> > >
> > > On Tue, Nov 29, 2016 at 12:35 PM, J Green <corpengineer () gmail com>
> > > wrote:
> > >
> > > > Will try that.
> > > >
> > > > One thing I noticed is that the nfnetlink modules (nfnetlink,
> > > > nfnetlink_log, nfnetlink_queue) were not loaded upon reboot.
> > > >
> > > > I reinstalled them manually.  But it is still not working.
> > > >
> > > > On Tue, Nov 29, 2016 at 12:23 PM, James Lay
> > > > <jlay () slave-tothe-box net> wrote:
> > > >
> > > > > Best is to look like so:
> > > > >
> > > > > sudo iptables -nvL
> > > > > sudo iptables -t nat -nvL
> > > > >
> > > > > before and after testing...that should show you what packets went
> > > > > where.
> > > > >
> > > > > James
> > > > >
> > > > > On 2016-11-29 12:01, J Green wrote:
> > > > > > Will try that.  This seems like a firewall or NFQ issue.
> > > > > >
> > > > > > Is there a way to get debug logging out of NFQ?
> > > > > >
> > > > > > Thank you.
> > > > > >
> > > > > > On Tue, Nov 29, 2016 at 10:51 AM, James Lay
> > > > > <jlay () slave-tothe-box net>
> > > > > > wrote:
> > > > > >
> > > > > > > On 2016-11-29 11:48, J Green wrote:
> > > > > > > > Upon reboot, I enter those (2) iptables commands manually,
> > > > > before
> > > > > > > > running barnyard.
> > > > > > > >
> > > > > > > > Still does not work.
> > > > > > > >
> > > > > > > > Thank you.
> > > > > > > >
> > > > > > > > On Tue, Nov 29, 2016 at 10:41 AM, James Lay
> > > > > > > <jlay () slave-tothe-box net>
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > On 2016-11-29 11:31, J Green wrote:
> > > > > > > > > > Appreciate the response.  Firewalld/iptables is up.  Though
> > > > > the
> > > > > > > > > only
> > > > > > > > > > rule I have in there is for access to the Barnyard web gui.
> > > > > > > > > >
> > > > > > > > > > Thought that rules for inline were added as follows?
> > > > > > > > > >
> > > > > > > > > > iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> > > > > > > > > > iptables -I FORWARD -j NFQUEUE --queue-num 1
> > > > > > > > > >
> > > > > > > > > > I did have this more granular, only allowing specific ports
> > > > > > > > > through
> > > > > > > > > > the bridge, but opened it up for troubleshooting purposes.
> > > > > > > > > >
> > > > > > > > > > All interfaces are up and respond to pings.  I know that I
> > > > > am
> > > > > > > > > missing
> > > > > > > > > > something simple.
> > > > > > > > > >
> > > > > > > > > > Thank you.
> > > > > > > > >
> > > > > > > > > They are added, but once you reboot they are lost.  You'll
> > > > > need
> > > > > > > to
> > > > > > > > > either create a script to readd them on boot or use
> > > > > > > > > iptables-save/iptables-restore commands.
> > > > > > > > >
> > > > > > > > > James
> > > > > > > > >
> > > > > > > > > > On Tue, Nov 29, 2016 at 9:25 AM, James Lay
> > > > > > > > > <jlay () slave-tothe-box net>
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > On 2016-11-28 14:28, J Green wrote:
> > > > > > > > > > > > Compiled Snort 2.9.8.3 & DAQ, CentOS 7 (VM).
> > > > > > > > > > > >
> > > > > > > > > > > > It works w/ NFQ inline.  However, if I reboot the VM, NFQ
> > > > > no
> > > > > > > > > > > longer
> > > > > > > > > > > > seems to work.  I do not see anything in the logs, etc.
> > > > > > > > > > > >
> > > > > > > > > > > > Here is how I am running Snort:
> > > > > > > > > > > >
> > > > > > > > > > > > snort -Q --daq nfq --daq-var device=eth0 --daq-var queue=1
> > > > > -c
> > > > > > > > > > > > /etc/snort/snort.conf &
> > > > > > > > > > > >
> > > > > > > > > > > > iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
> > > > > > > > > > > > iptables -I FORWARD -j NFQUEUE --queue-num 1
> > > > > > > > > > > >
> > > > > > > > > > > > barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort
> > > > > -f
> > > > > > > > > > > snort.us [1] [1] [1] [1]
> > > > > > > > > > > > [1] -w /var/log/snort/barnyard.waldo -g snort -u snort
> > > > > > > > > > > >
> > > > > > > > > > > > Any input would be appreciated.
> > > > > > > > > > > >
> > > > > > > > > > > > Thank you.
> >
> > Could be...check your mods after reboot...in my experience those have
> > been loaded automatically.
> >
> > James
> >
> > ------------------------------------------------------------
> > ------------------
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!