[Snort-users] Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket

Russ Combs rcombs at ...1935...
Tue Mar 12 12:26:57 EDT 2013


On Mon, Mar 11, 2013 at 6:53 PM, Ricky Huang <rhuang.work at ...11827...> wrote:

> On Mar 8, 2013, at 12:29 PM, Lawrence Teo <lteo at ...16129...> wrote:
>
> […]
>
>
> The DAQ README says that you'll need to recompile the kernel to enable
> support for divert sockets by placing the following lines in the
> kernel config:
>
>    options IPFIREWALL
>    options IPDIVERT
>
>
> Thanks for the idea Lawrence.  I eventually used the loadable kernel
> modules by adding firewall_enable="YES" in /etc/rc.conf
> and ipdivert_load="YES" in /boot/loader.conf instead of recompiling the
> kernel.  Your suggestion pointed me in the correct direction.
>

Thanks for reporting your resolution.  I'll add that to the DAQ README.

>
>
> The DAQ README also shows sample ipfw commands that you can use, e.g.
> "ipfw add 75 divert 8000 icmp from any to any".  Note that 8000 is the
> default divert port in the IPFW DAQ; if you change it to something else
> like 5000, you'll need to start Snort with an additional command-line
> argument: --daq-var port=5000
>
> […]
>
>
> Can you please refer me to the DAQ README documentation?  Snort User
> Manual 2.9.4 "1.5 Packet Acquisition" (http://manual.snort.org/node7.html)
> is the closest thing I found and I don't see the "ipfw add…" example you
> referred
>

The DAQ REAME is in the DAQ tarball (not to be confused with README.daq
which is in the Snort tarball).

>
>
> Thanks again!
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130312/c86cf4a4/attachment.html>


More information about the Snort-users mailing list