Snort mailing list archives
Re: ERROR: Can't start DAQ
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 31 Mar 2015 15:59:25 +0000
Have you started it with -u and -g to drop permissions after being started as root? -u <uname> Run snort uid as <uname> user (or uid) after initialization -g <gname> Run snort gid as <gname> group (or gid) after initialization Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Al Lewis (allewi) Sent: Tuesday, March 31, 2015 11:37 AM To: Dan Roberts; snort-users () lists sourceforge net Subject: Re: [Snort-users] ERROR: Can't start DAQ Your user needs to be able to open a socket. Can your snort user run something like tcpdump on an interface? If not then it needs rights. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com<mailto:allewi () cisco com> From: Dan Roberts [mailto:danroberts2604 () gmail com] Sent: Tuesday, March 31, 2015 11:22 AM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] ERROR: Can't start DAQ Hi guys, My snort configuration works pretty well as long as I run it as root during my test. But for some obvious reason, I want now put it in prod and run it as user "snort", using the options " -u snort -g snort ". This is where I get --= Initializing Snort =-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "eth0". ERROR: Can't start DAQ (-1) - socket: Operation not permitted! Fatal Error, Quitting... I've googled around a bit, without success. It has surely something to do with some missing rights..... Do you have any idea ? Does user "snort" have some specific rights ? Your help would be highly appreciated ;-) Thanks Dan
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- ERROR: Can't start DAQ Dan Roberts (Mar 31)
- Re: ERROR: Can't start DAQ Al Lewis (allewi) (Mar 31)
- Re: ERROR: Can't start DAQ Al Lewis (allewi) (Mar 31)
- Re: ERROR: Can't start DAQ Al Lewis (allewi) (Mar 31)