[Snort-users] Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket

Ricky Huang rhuang.work at ...11827...
Fri Mar 8 15:03:29 EST 2013


Hello all,

In an attempt to run Snort in inline mode (IPS), I set DAQ of my Snort to be IPFW.  At first it refuse to start with the error:
> 

> $ snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf -N -Q --daq ipfw --daq-mode inline

> […]

> ERROR: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket (Operation not permitted)
> !
> Fatal Error, Quitting..
(full log attached, snort.ipfw.log)

A little Googling shows this to be an issue of IPFW requiring root to start (http://seclists.org/snort/2013/q1/803).

Fine.  So I start the snort with root:wheel and got another flavor of the ipfw_daq_start error:
> 
> snort -i igb0 -u root -g wheel -c /usr/local/etc/snort/snort.conf -N -Q --daq ipfw --daq-mode inline
> […]
> ERROR: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket (Protocol not supported)
> !
> Fatal Error, Quitting..
(full log attached, snort.ipfw.root.log)

At first I am guessing it has to with the note on Snort documentation (http://manual.snort.org/node7.html#SECTION00256000000000000000):
> 
> * IPFW only supports ip4 traffic.

So I went through my snort.conf and turn off the only two things referring to ipv6:
> 
> #preprocessor normalize_ip6
> #preprocessor normalize_icmp6

And I am still getting the same "Protocol not supported" error (full log attached, snort.ipfw.root.noip6.log).

I am stumped…

BTW, is there another DAQ choice on FreeBSD 9.0 for inline operation?  Looking in the DAQ library dir:
> 
> # ls -1 /usr/local/lib/daq/
> daq_dump.la
> daq_dump.so
> daq_ipfw.la
> daq_ipfw.so
> daq_pcap.la
> daq_pcap.so

It doesn't seem like I have many choices.


Thanks in advance!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130308/39bb260c/attachment.html>


More information about the Snort-users mailing list