Firewall rules configured from SOC are not showing up in iptables

[6161726f6e]

Version

Other (please provide detail below)

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

16

Storage for /

65GB

Storage for /nsm

125G

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

SO Version = 2.4.141
Standalone system that is not doing any network traffic analysis.

I am attempting to add new logs from nxlog. I added a custom hostgroup and portgroup via SOC to support this. However, the traffic is not being accepted.

Salt highstate shows no errors:

[root@securityonion log]# salt \* state.highstate
...
----------
          ID: salt_minion_service
    Function: service.running
        Name: salt-minion
      Result: True
     Comment: The service salt-minion is already running
     Started: 15:36:45.590959
    Duration: 33.645 ms
     Changes:   

Summary for securityonion_standalone
---------------
Succeeded: 1539 (changed=38)
Failed:       0
---------------
Total states run:     1539
Total run time:    162.605 s

I can see the TCP Syn packets getting to SO, but it is still not accepting the packets.

Also, iptables -nvL output doesn't show the new rule.

[root@securityonion log]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
     Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; preset: disabled)
     Active: active (exited) since Tue 2025-04-15 15:40:52 UTC; 4s ago
    Process: 659893 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
   Main PID: 659893 (code=exited, status=0/SUCCESS)
        CPU: 15ms

Apr 15 15:40:52 securityonion systemd[1]: Starting IPv4 firewall with iptables...
Apr 15 15:40:52 securityonion iptables.init[659893]: iptables: Applying firewall rules: [  OK  ]
Apr 15 15:40:52 securityonion systemd[1]: Finished IPv4 firewall with iptables.

[root@securityonion log]# iptables -nvL | grep 9999
[root@securityonion log]# 

Things I have tried:

1. Deleting/Recreating the hostgroup and portgroup.
2. Tried different ports (currently trying to use TCP 9999)
3. Upgrading to latest version of SO
4. Manually synchronizing the grid via SOC configuration
5. Restarting iptables service
6. Rebooting

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[6161726f6e]

Forgot to add that I had also added this for the listener to the securityonion_standalone.sls and updated salt.

vector:
    custom_configs:
        nxlog_windows_input:
            sinks:
                nxlog_windows_remap:
                    inputs:
                        - nxlog_windows_remap
            sources:
                nxlog_windows_tcp_source:
                    address: 0.0.0.0:9999
                    decoding:
                        codec: json
                    mode: tcp
                    tags:
                        input_source: nxlog_windows
                    type: socket
            transforms:
                nxlog_windows_remap:
                    inputs:
                        - nxlog_windows_tcp_source
                    source: |
                        # Add some basic ECS-like fields if they don't exist
                        .event.kind = "event"
                        .event.category = ["host", "intrusion_detection"] # Adjust category as needed
                        .event.dataset = "windows.eventlog"
                        .agent.type = "nxlog"
                        .observer.vendor = "Microsoft"
                        .observer.product = "Windows"

                        # Ensure the original event is preserved if needed for debugging
                        # .event.original = encode_json(.) # Uncomment if you want the full original JSON stored

                        # Attempt to map common NXLog fields to ECS
                        # These depend heavily on EXACTLY how NXLog formats its JSON output.
                        # You may need to inspect incoming logs in Hunt/Kibana first and adjust these mappings.
                        if exists(.EventTime) { .@timestamp = parse_timestamp!(.EventTime, format: "%Y-%m-%dT%H:%M:%S.%fZ") ?? now() } else { .@timestamp = now() }
                        if exists(.Hostname) { .host.name = .Hostname } else { .host.name = .SourceName } # Adjust based on your NXLog JSON
                        if exists(.EventID) { .event.code = to_string!(.EventID) }
                        if exists(.Message) { .message = .Message }
                        if exists(.SourceName) { .winlog.provider_name = .SourceName }
                        if exists(.Keywords) { .winlog.keywords = split!(to_string!(.Keywords), " ") } # Example, adjust parsing as needed
                        # Add more mappings as needed based on your specific JSON structure from NXLog

                        # Add a tag to indicate processing
                        .tags = push(.tags ?? [], "processed_nxlog_windows")
                    type: remap

[6161726f6e]

Nothing is still listening though:

[root@securityonion admin]# netstat -tunlp | grep 9999
[root@securityonion admin]# 

[6161726f6e]

Also, I just found the soc_firewall.sls file which looks like this, and it does look correct (it has the correct full IPs, not the 'X.X.X.')

[root@securityonion firewall]# cat soc_firewall.sls 
firewall:
    hostgroups:
        analyst:
            - X.X.X.0/24
        customhostgroup0:
            - X.X.X.1
        customhostgroup1:
            - X.X.X.99
        standalone:
            - X.X.X.252
    portgroups:
        customportgroup0:
            udp:
                - "9001"
        customportgroup1:
            tcp:
                - "9999"
    role:
        standalone:
            chain:
                INPUT:
                    hostgroups:
                        customhostgroup0:
                            portgroups:
                                - customportgroup0

[6161726f6e]

OK. I switched to logstash, and got it working now. I was referencing some incorrect documentation about using Vector instead of logstash.
[2025-04-15T20:59:21,647][INFO ][logstash.inputs.tcp ] Starting tcp input listener {:address=>"0.0.0.0:9999", :ssl_enabled=>false}