[Snort-users] ERROR: Can't start DAQ

Al Lewis (allewi) allewi at ...589...
Tue Mar 31 11:59:25 EDT 2015


Have you started it with -u and -g to drop permissions after being started as root?


-u <uname> Run snort uid as <uname> user (or uid) after initialization
-g <gname> Run snort gid as <gname> group (or gid) after initialization



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Al Lewis (allewi)
Sent: Tuesday, March 31, 2015 11:37 AM
To: Dan Roberts; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ERROR: Can't start DAQ

Your user needs to be able to open a socket.

Can your snort user run something like tcpdump on an interface? If not then it needs rights.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...<mailto:allewi at ...589...>

From: Dan Roberts [mailto:danroberts2604 at ...11827...]
Sent: Tuesday, March 31, 2015 11:22 AM
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: [Snort-users] ERROR: Can't start DAQ

Hi guys,

My snort configuration works pretty well as long as I run it as root during my test.

But for some obvious reason, I want now put it in prod and run it as user "snort", using the options " -u snort -g snort ".

This is where I get

--= Initializing Snort =--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
ERROR: Can't start DAQ (-1) - socket: Operation not permitted!
Fatal Error, Quitting...

I've googled around a bit, without success.

It has surely something to do with some missing rights.....

Do you have any idea ? Does user "snort" have some specific rights ?

Your help would be highly appreciated ;-)

Thanks

Dan


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150331/f7d6eb1f/attachment.html>


More information about the Snort-users mailing list