[Snort-users] ERROR: can't find nfq DAQ

Marcin Dulak marcin.dulak at ...11827...
Wed Nov 30 17:17:27 EST 2016


Try to specify the location of daq modules with (replace with the path
where daq_nfq.so lives):

snort --daq-dir /usr/lib64/daq/ --daq-list

Marcin

On Wed, Nov 30, 2016 at 11:05 PM, Amal Saeed <amal.saeed at ...17680...> wrote:

> When I ran it as root, it validated the configuration, just like that! But
> now my nfq module is missing.
>
> On Wed, Nov 30, 2016 at 4:15 PM, Al Lewis (allewi) <allewi at ...589...>
> wrote:
>
>> Couple of things to try as a test.
>>
>> 1) try running it as root (for permissions).
>>
>> 2) create the alert file then
>>
>> 3) run snort without logging enabled
>>
>>
>> When you start snort the user has to have elevated privileges. So a
>> regular use may not cut it..
>>
>>
>> See the DAQ readme:
>>
>> NFQ Module
>> ==========
>>
>> NFQ is the new and improved way to process iptables packets:
>>
>>     ./snort --daq nfq \
>>         [--daq-var device=<dev>] \
>>         [--daq-var proto=<proto>] \
>>         [--daq-var queue=<qid>]
>>
>>     <dev> ::= ip | eth0, etc; default is IP injection
>>     <proto> ::= ip4 | ip6 |; default is ip4
>>     <qid> ::= 0..65535; default is 0
>>
>> *This module can not run unprivileged so ./snort -u -g will produce a
>> warning*
>> *and won't change user or group.*
>>
>> Notes on iptables are given below.
>>
>>
>> *Albert Lewis*
>>
>> ENGINEER.SOFTWARE ENGINEERING
>>
>> SOURCE*fire*, Inc. now part of *Cisco*
>>
>> Email: allewi at ...589...
>>
>> From: Amal Saeed <amal.saeed at ...17680...>
>> Date: Wednesday, November 30, 2016 at 3:33 PM
>>
>> To: allewi <allewi at ...589...>
>> Cc: 'snort-users' <snort-users at lists.sourceforge.net>
>> Subject: Re: [Snort-users] ERROR: can't find nfq DAQ
>>
>> I have full permissions though (see attached)?
>>
>> On Wed, Nov 30, 2016 at 3:19 PM, Amal Saeed <amal.saeed at ...17680...>
>> wrote:
>>
>>> I'm running as a regular user.
>>>
>>> On Wed, Nov 30, 2016 at 3:17 PM, Al Lewis (allewi) <allewi at ...589...>
>>> wrote:
>>>
>>>> Permissions on the directory wouldn’t be something snort can control.
>>>>
>>>> Who are you running snort as? root? regular user?
>>>>
>>>>
>>>>
>>>> *Albert Lewis*
>>>>
>>>> ENGINEER.SOFTWARE ENGINEERING
>>>>
>>>> SOURCE*fire*, Inc. now part of *Cisco*
>>>>
>>>> Email: allewi at ...589...
>>>>
>>>> From: Amal Saeed <amal.saeed at ...17680...>
>>>> Date: Wednesday, November 30, 2016 at 3:05 PM
>>>> To: allewi <allewi at ...589...>
>>>> Cc: 'snort-users' <snort-users at lists.sourceforge.net>
>>>> Subject: Re: [Snort-users] ERROR: can't find nfq DAQ
>>>>
>>>> So I just ran:  *snort -i wlan0 -c /etc/snort/snort.conf -T*
>>>> and Snort successfully validated my configuration.
>>>>
>>>> I've tried changing permission on my /var/log/snort directory, but it
>>>> doesn't take the changes.
>>>>
>>>> On Wed, Nov 30, 2016 at 2:59 PM, Al Lewis (allewi) <allewi at ...589...>
>>>> wrote:
>>>>
>>>>> The error is “ERROR: OpenAlertFile() => fopen() alert file
>>>>> /var/log/snort/alert: *Permission denied*"
>>>>>
>>>>> Doesn’t look like snort can write to your logging directory.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *Albert Lewis*
>>>>>
>>>>> ENGINEER.SOFTWARE ENGINEERING
>>>>>
>>>>> SOURCE*fire*, Inc. now part of *Cisco*
>>>>>
>>>>> Email: allewi at ...589...
>>>>>
>>>>> From: Amal Saeed <amal.saeed at ...17680...>
>>>>> Date: Wednesday, November 30, 2016 at 2:51 PM
>>>>> To: 'snort-users' <snort-users at lists.sourceforge.net>
>>>>> Subject: [Snort-users] ERROR: can't find nfq DAQ
>>>>>
>>>>> Hello,
>>>>>
>>>>> I'm trying to run Snort in inline mode (-Q), but I kept running into
>>>>> this problem, where it says can't find nfq DAQ even though I see nfq listed
>>>>> in my --daq-list. I've tried troubleshooting with every source I found
>>>>> online, but now I get a different error.
>>>>>
>>>>> If I run: *snort --daq nfq -Q -c /etc/snort/snort.conf*
>>>>> I get:
>>>>> Log directory = /var/log/snort
>>>>> ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert:
>>>>> Permission denied
>>>>> Fatal Error, Quitting..
>>>>>
>>>>> If I run: *snort -T -c /etc/snort/snort.conf*
>>>>> I get:
>>>>> [ Number of patterns truncated to 20 bytes: 497 ]
>>>>> ERROR: Active response: can't open ip!
>>>>> Fatal Error, Quitting..
>>>>>
>>>>> I have an IP address and I can ping myself/others and receive pings
>>>>> with no issue.
>>>>>
>>>>> Please advise on what I can do to resolve this, thank you!
>>>>>
>>>>> --
>>>>> Amal Saeed
>>>>> Simmons College '17, B.S. Computer Science & Information Technology
>>>>> Secretary, 2017 Class Council
>>>>> Co-Vice President, Computer Science & Mathematics Liaison
>>>>> Technology Assistant, *Simmons Technology Support Center*
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Amal Saeed
>>>> Simmons College '17, B.S. Computer Science & Information Technology
>>>> Secretary, 2017 Class Council
>>>> Co-Vice President, Computer Science & Mathematics Liaison
>>>> Technology Assistant, *Simmons Technology Support Center*
>>>>
>>>
>>>
>>>
>>> --
>>> Amal Saeed
>>> Simmons College '17, B.S. Computer Science & Information Technology
>>> Secretary, 2017 Class Council
>>> Co-Vice President, Computer Science & Mathematics Liaison
>>> Technology Assistant, *Simmons Technology Support Center*
>>>
>>
>>
>>
>> --
>> Amal Saeed
>> Simmons College '17, B.S. Computer Science & Information Technology
>> Secretary, 2017 Class Council
>> Co-Vice President, Computer Science & Mathematics Liaison
>> Technology Assistant, *Simmons Technology Support Center*
>>
>
>
>
> --
> Amal Saeed
> Simmons College '17, B.S. Computer Science & Information Technology
> Secretary, 2017 Class Council
> Co-Vice President, Computer Science & Mathematics Liaison
> Technology Assistant, *Simmons Technology Support Center*
>
> ------------------------------------------------------------
> ------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161130/ef0fc453/attachment.html>


More information about the Snort-users mailing list