Re: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket

[Ricky Huang <rhuang.work () gmail com>]

On Mar 12, 2013, at 9:26 AM, Russ Combs <rcombs () sourcefire com> wrote:

> On Mon, Mar 11, 2013 at 6:53 PM, Ricky Huang <rhuang.work () gmail com> wrote:
> On Mar 8, 2013, at 12:29 PM, Lawrence Teo <lteo () lteo net> wrote:
>
> > […]
> >
> > The DAQ README says that you'll need to recompile the kernel to enable
> > support for divert sockets by placing the following lines in the
> > kernel config:
> >
> >    options IPFIREWALL
> >    options IPDIVERT
>
> Thanks for the idea Lawrence.  I eventually used the loadable kernel modules by adding firewall_enable="YES" in 
> /etc/rc.conf and ipdivert_load="YES" in /boot/loader.conf instead of recompiling the kernel.  Your suggestion pointed 
> me in the correct direction.
>
> Thanks for reporting your resolution.  I'll add that to the DAQ README.

Hello Russ, below are the actual lines:
        /etc/rc.conf
                firewall_enable="YES"
                firewall_type="OPEN" # BSD deny all traffic by default, you'll get locked out without this!
        /boot/loader.conf
                ipfw_load="YES"
                ipdivert_load="YES"


> > The DAQ README also shows sample ipfw commands that you can use, e.g.
> > "ipfw add 75 divert 8000 icmp from any to any".  Note that 8000 is the
> > default divert port in the IPFW DAQ; if you change it to something else
> > like 5000, you'll need to start Snort with an additional command-line
> > argument: --daq-var port=5000
> > […]
>
> Can you please refer me to the DAQ README documentation?  Snort User Manual 2.9.4 "1.5 Packet Acquisition" 
> (http://manual.snort.org/node7.html) is the closest thing I found and I don't see the "ipfw add…" example you 
> referred 
>
> The DAQ REAME is in the DAQ tarball (not to be confused with README.daq which is in the Snort tarball). 

Ah, I used DAQ from BSD ports so I was unaware of this.  Thank you!

BTW, is there a documentation somewhere that outlines how Snort is setup as a IPS?


> Thanks again!
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!