[Snort-users] Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket

Ricky Huang rhuang.work at ...11827...
Mon Mar 11 18:53:38 EDT 2013


On Mar 8, 2013, at 12:29 PM, Lawrence Teo <lteo at ...16129...> wrote:

> […]
> 
> The DAQ README says that you'll need to recompile the kernel to enable
> support for divert sockets by placing the following lines in the
> kernel config:
> 
>    options IPFIREWALL
>    options IPDIVERT

Thanks for the idea Lawrence.  I eventually used the loadable kernel modules by adding firewall_enable="YES" in /etc/rc.conf and ipdivert_load="YES" in /boot/loader.conf instead of recompiling the kernel.  Your suggestion pointed me in the correct direction.


> The DAQ README also shows sample ipfw commands that you can use, e.g.
> "ipfw add 75 divert 8000 icmp from any to any".  Note that 8000 is the
> default divert port in the IPFW DAQ; if you change it to something else
> like 5000, you'll need to start Snort with an additional command-line
> argument: --daq-var port=5000
> […]

Can you please refer me to the DAQ README documentation?  Snort User Manual 2.9.4 "1.5 Packet Acquisition" (http://manual.snort.org/node7.html) is the closest thing I found and I don't see the "ipfw add…" example you referred 


Thanks again!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130311/4e11f82c/attachment.html>


More information about the Snort-users mailing list