Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ERROR: can't find nfq DAQ

From: Marcin Dulak <marcin.dulak () gmail com>
Date: Wed, 30 Nov 2016 23:17:27 +0100
Try to specify the location of daq modules with (replace with the path
where daq_nfq.so lives):

snort --daq-dir /usr/lib64/daq/ --daq-list

Marcin

On Wed, Nov 30, 2016 at 11:05 PM, Amal Saeed <amal.saeed () simmons edu> wrote:


When I ran it as root, it validated the configuration, just like that! But
now my nfq module is missing.

On Wed, Nov 30, 2016 at 4:15 PM, Al Lewis (allewi) <allewi () cisco com>
wrote:


Couple of things to try as a test.

1) try running it as root (for permissions).

2) create the alert file then

3) run snort without logging enabled


When you start snort the user has to have elevated privileges. So a
regular use may not cut it..


See the DAQ readme:

NFQ Module
==========

NFQ is the new and improved way to process iptables packets:

    ./snort --daq nfq \
        [--daq-var device=<dev>] \
        [--daq-var proto=<proto>] \
        [--daq-var queue=<qid>]

    <dev> ::= ip | eth0, etc; default is IP injection
    <proto> ::= ip4 | ip6 |; default is ip4
    <qid> ::= 0..65535; default is 0

*This module can not run unprivileged so ./snort -u -g will produce a
warning*
*and won't change user or group.*

Notes on iptables are given below.


*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

SOURCE*fire*, Inc. now part of *Cisco*

Email: allewi () cisco com

From: Amal Saeed <amal.saeed () simmons edu>
Date: Wednesday, November 30, 2016 at 3:33 PM

To: allewi <allewi () cisco com>
Cc: 'snort-users' <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] ERROR: can't find nfq DAQ

I have full permissions though (see attached)?

On Wed, Nov 30, 2016 at 3:19 PM, Amal Saeed <amal.saeed () simmons edu>
wrote:


I'm running as a regular user.

On Wed, Nov 30, 2016 at 3:17 PM, Al Lewis (allewi) <allewi () cisco com>
wrote:


Permissions on the directory wouldn’t be something snort can control.

Who are you running snort as? root? regular user?



*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

SOURCE*fire*, Inc. now part of *Cisco*

Email: allewi () cisco com

From: Amal Saeed <amal.saeed () simmons edu>
Date: Wednesday, November 30, 2016 at 3:05 PM
To: allewi <allewi () cisco com>
Cc: 'snort-users' <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] ERROR: can't find nfq DAQ

So I just ran:  *snort -i wlan0 -c /etc/snort/snort.conf -T*
and Snort successfully validated my configuration.

I've tried changing permission on my /var/log/snort directory, but it
doesn't take the changes.

On Wed, Nov 30, 2016 at 2:59 PM, Al Lewis (allewi) <allewi () cisco com>
wrote:


The error is “ERROR: OpenAlertFile() => fopen() alert file
/var/log/snort/alert: *Permission denied*"

Doesn’t look like snort can write to your logging directory.




*Albert Lewis*

ENGINEER.SOFTWARE ENGINEERING

SOURCE*fire*, Inc. now part of *Cisco*

Email: allewi () cisco com

From: Amal Saeed <amal.saeed () simmons edu>
Date: Wednesday, November 30, 2016 at 2:51 PM
To: 'snort-users' <snort-users () lists sourceforge net>
Subject: [Snort-users] ERROR: can't find nfq DAQ

Hello,

I'm trying to run Snort in inline mode (-Q), but I kept running into
this problem, where it says can't find nfq DAQ even though I see nfq listed
in my --daq-list. I've tried troubleshooting with every source I found
online, but now I get a different error.

If I run: *snort --daq nfq -Q -c /etc/snort/snort.conf*
I get:
Log directory = /var/log/snort
ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert:
Permission denied
Fatal Error, Quitting..

If I run: *snort -T -c /etc/snort/snort.conf*
I get:
[ Number of patterns truncated to 20 bytes: 497 ]
ERROR: Active response: can't open ip!
Fatal Error, Quitting..

I have an IP address and I can ping myself/others and receive pings
with no issue.

Please advise on what I can do to resolve this, thank you!

--
Amal Saeed
Simmons College '17, B.S. Computer Science & Information Technology
Secretary, 2017 Class Council
Co-Vice President, Computer Science & Mathematics Liaison
Technology Assistant, *Simmons Technology Support Center*





--
Amal Saeed
Simmons College '17, B.S. Computer Science & Information Technology
Secretary, 2017 Class Council
Co-Vice President, Computer Science & Mathematics Liaison
Technology Assistant, *Simmons Technology Support Center*





--
Amal Saeed
Simmons College '17, B.S. Computer Science & Information Technology
Secretary, 2017 Class Council
Co-Vice President, Computer Science & Mathematics Liaison
Technology Assistant, *Simmons Technology Support Center*





--
Amal Saeed
Simmons College '17, B.S. Computer Science & Information Technology
Secretary, 2017 Class Council
Co-Vice President, Computer Science & Mathematics Liaison
Technology Assistant, *Simmons Technology Support Center*





--
Amal Saeed
Simmons College '17, B.S. Computer Science & Information Technology
Secretary, 2017 Class Council
Co-Vice President, Computer Science & Mathematics Liaison
Technology Assistant, *Simmons Technology Support Center*

------------------------------------------------------------
------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: