Snort mailing list archives
Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket
From: Ricky Huang <rhuang.work () gmail com>
Date: Fri, 8 Mar 2013 12:03:29 -0800
Hello all, In an attempt to run Snort in inline mode (IPS), I set DAQ of my Snort to be IPFW. At first it refuse to start with the error:
$ snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf -N -Q --daq ipfw --daq-mode inline
[…]
ERROR: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket (Operation not permitted) ! Fatal Error, Quitting..
(full log attached, snort.ipfw.log) A little Googling shows this to be an issue of IPFW requiring root to start (http://seclists.org/snort/2013/q1/803). Fine. So I start the snort with root:wheel and got another flavor of the ipfw_daq_start error:
snort -i igb0 -u root -g wheel -c /usr/local/etc/snort/snort.conf -N -Q --daq ipfw --daq-mode inline […] ERROR: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket (Protocol not supported) ! Fatal Error, Quitting..
(full log attached, snort.ipfw.root.log) At first I am guessing it has to with the note on Snort documentation (http://manual.snort.org/node7.html#SECTION00256000000000000000):
* IPFW only supports ip4 traffic.
So I went through my snort.conf and turn off the only two things referring to ipv6:
#preprocessor normalize_ip6 #preprocessor normalize_icmp6
And I am still getting the same "Protocol not supported" error (full log attached, snort.ipfw.root.noip6.log). I am stumped… BTW, is there another DAQ choice on FreeBSD 9.0 for inline operation? Looking in the DAQ library dir:
# ls -1 /usr/local/lib/daq/ daq_dump.la daq_dump.so daq_ipfw.la daq_ipfw.so daq_pcap.la daq_pcap.so
It doesn't seem like I have many choices. Thanks in advance!
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket Ricky Huang (Mar 08)
- Re: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket Lawrence Teo (Mar 08)
- Re: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket Ricky Huang (Mar 11)
- Re: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket Russ Combs (Mar 12)
- Re: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket Ricky Huang (Mar 12)
- Re: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket Ricky Huang (Mar 11)
- Re: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket Lawrence Teo (Mar 08)