[Snort-users] Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket
rhuang.work at ...11827...
Mon Mar 11 18:53:38 EDT 2013
On Mar 8, 2013, at 12:29 PM, Lawrence Teo <lteo at ...16129...> wrote:
> The DAQ README says that you'll need to recompile the kernel to enable
> support for divert sockets by placing the following lines in the
> kernel config:
> options IPFIREWALL
> options IPDIVERT
Thanks for the idea Lawrence. I eventually used the loadable kernel modules by adding firewall_enable="YES" in /etc/rc.conf and ipdivert_load="YES" in /boot/loader.conf instead of recompiling the kernel. Your suggestion pointed me in the correct direction.
> The DAQ README also shows sample ipfw commands that you can use, e.g.
> "ipfw add 75 divert 8000 icmp from any to any". Note that 8000 is the
> default divert port in the IPFW DAQ; if you change it to something else
> like 5000, you'll need to start Snort with an additional command-line
> argument: --daq-var port=5000
Can you please refer me to the DAQ README documentation? Snort User Manual 2.9.4 "1.5 Packet Acquisition" (http://manual.snort.org/node7.html) is the closest thing I found and I don't see the "ipfw add…" example you referred
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users