Snort mailing list archives

Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket

From: Ricky Huang <rhuang.work () gmail com>
Date: Fri, 8 Mar 2013 12:03:29 -0800

Hello all,

In an attempt to run Snort in inline mode (IPS), I set DAQ of my Snort to be IPFW.  At first it refuse to start with 
the error:

$ snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf -N -Q --daq ipfw --daq-mode inline

[…]

ERROR: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket (Operation not permitted)
!
Fatal Error, Quitting..

(full log attached, snort.ipfw.log)

A little Googling shows this to be an issue of IPFW requiring root to start (http://seclists.org/snort/2013/q1/803).

Fine.  So I start the snort with root:wheel and got another flavor of the ipfw_daq_start error:


snort -i igb0 -u root -g wheel -c /usr/local/etc/snort/snort.conf -N -Q --daq ipfw --daq-mode inline
[…]
ERROR: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket (Protocol not supported)
!
Fatal Error, Quitting..

(full log attached, snort.ipfw.root.log)

At first I am guessing it has to with the note on Snort documentation 
(http://manual.snort.org/node7.html#SECTION00256000000000000000):


* IPFW only supports ip4 traffic.


So I went through my snort.conf and turn off the only two things referring to ipv6:


#preprocessor normalize_ip6
#preprocessor normalize_icmp6


And I am still getting the same "Protocol not supported" error (full log attached, snort.ipfw.root.noip6.log).

I am stumped…

BTW, is there another DAQ choice on FreeBSD 9.0 for inline operation?  Looking in the DAQ library dir:


# ls -1 /usr/local/lib/daq/
daq_dump.la
daq_dump.so
daq_ipfw.la
daq_ipfw.so
daq_pcap.la
daq_pcap.so


It doesn't seem like I have many choices.


Thanks in advance!

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket Ricky Huang (Mar 08)
- Re: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket Lawrence Teo (Mar 08)
  - Re: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket Ricky Huang (Mar 11)
    - Re: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket Russ Combs (Mar 12)
    - Re: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket Ricky Huang (Mar 12)