[Snort-users] Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket

Ricky Huang rhuang.work at ...11827...
Tue Mar 12 13:24:58 EDT 2013


On Mar 12, 2013, at 9:26 AM, Russ Combs <rcombs at ...1935...> wrote:

> On Mon, Mar 11, 2013 at 6:53 PM, Ricky Huang <rhuang.work at ...11827...> wrote:
> On Mar 8, 2013, at 12:29 PM, Lawrence Teo <lteo at ...16129...> wrote:
> 
>> […]
>> 
>> The DAQ README says that you'll need to recompile the kernel to enable
>> support for divert sockets by placing the following lines in the
>> kernel config:
>> 
>>    options IPFIREWALL
>>    options IPDIVERT
> 
> Thanks for the idea Lawrence.  I eventually used the loadable kernel modules by adding firewall_enable="YES" in /etc/rc.conf and ipdivert_load="YES" in /boot/loader.conf instead of recompiling the kernel.  Your suggestion pointed me in the correct direction.
> 
> Thanks for reporting your resolution.  I'll add that to the DAQ README.

Hello Russ, below are the actual lines:
	/etc/rc.conf
		firewall_enable="YES"
		firewall_type="OPEN" # BSD deny all traffic by default, you'll get locked out without this!
	/boot/loader.conf
		ipfw_load="YES"
		ipdivert_load="YES"


>> The DAQ README also shows sample ipfw commands that you can use, e.g.
>> "ipfw add 75 divert 8000 icmp from any to any".  Note that 8000 is the
>> default divert port in the IPFW DAQ; if you change it to something else
>> like 5000, you'll need to start Snort with an additional command-line
>> argument: --daq-var port=5000
>> […]
> 
> Can you please refer me to the DAQ README documentation?  Snort User Manual 2.9.4 "1.5 Packet Acquisition" (http://manual.snort.org/node7.html) is the closest thing I found and I don't see the "ipfw add…" example you referred 
> 
> The DAQ REAME is in the DAQ tarball (not to be confused with README.daq which is in the Snort tarball). 

Ah, I used DAQ from BSD ports so I was unaware of this.  Thank you!

BTW, is there a documentation somewhere that outlines how Snort is setup as a IPS?


> 
> 
> Thanks again!
> 
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130312/557bcbe3/attachment.html>


More information about the Snort-users mailing list