Re: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket

[Russ Combs <rcombs () sourcefire com>]

On Mon, Mar 11, 2013 at 6:53 PM, Ricky Huang <rhuang.work () gmail com> wrote:

> On Mar 8, 2013, at 12:29 PM, Lawrence Teo <lteo () lteo net> wrote:
>
> […]
>
>
> The DAQ README says that you'll need to recompile the kernel to enable
> support for divert sockets by placing the following lines in the
> kernel config:
>
>    options IPFIREWALL
>    options IPDIVERT
>
>
> Thanks for the idea Lawrence.  I eventually used the loadable kernel
> modules by adding firewall_enable="YES" in /etc/rc.conf
> and ipdivert_load="YES" in /boot/loader.conf instead of recompiling the
> kernel.  Your suggestion pointed me in the correct direction.

Thanks for reporting your resolution.  I'll add that to the DAQ README.

> The DAQ README also shows sample ipfw commands that you can use, e.g.
> "ipfw add 75 divert 8000 icmp from any to any".  Note that 8000 is the
> default divert port in the IPFW DAQ; if you change it to something else
> like 5000, you'll need to start Snort with an additional command-line
> argument: --daq-var port=5000
>
> […]
>
>
> Can you please refer me to the DAQ README documentation?  Snort User
> Manual 2.9.4 "1.5 Packet Acquisition" (http://manual.snort.org/node7.html)
> is the closest thing I found and I don't see the "ipfw add…" example you
> referred

The DAQ REAME is in the DAQ tarball (not to be confused with README.daq
which is in the Snort tarball).

> Thanks again!
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!