[Snort-users] ERROR: can't find nfq DAQ

Amal Saeed amal.saeed at ...17680...
Wed Nov 30 18:46:17 EST 2016


Okay, so I see nfq there, but when I run this command: *snort --daq nfq -Q
-c /etc/snort/snort.conf *it still says permission denied.

When I run this: *snort /usr/local/lib/daq -Q -c /etc/snort/snort.conf* it
still says permission denied:
Log directory = /var/log/snort
ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert:
Permission denied
Fatal Error, Quitting..

I'm really confused - it seems like everything is in place, but it still
refuses to run.



On Wed, Nov 30, 2016 at 5:17 PM, Marcin Dulak <marcin.dulak at ...11827...>
wrote:

> Try to specify the location of daq modules with (replace with the path
> where daq_nfq.so lives):
>
> snort --daq-dir /usr/lib64/daq/ --daq-list
>
> Marcin
>
> On Wed, Nov 30, 2016 at 11:05 PM, Amal Saeed <amal.saeed at ...17680...>
> wrote:
>
>> When I ran it as root, it validated the configuration, just like that!
>> But now my nfq module is missing.
>>
>> On Wed, Nov 30, 2016 at 4:15 PM, Al Lewis (allewi) <allewi at ...589...>
>> wrote:
>>
>>> Couple of things to try as a test.
>>>
>>> 1) try running it as root (for permissions).
>>>
>>> 2) create the alert file then
>>>
>>> 3) run snort without logging enabled
>>>
>>>
>>> When you start snort the user has to have elevated privileges. So a
>>> regular use may not cut it..
>>>
>>>
>>> See the DAQ readme:
>>>
>>> NFQ Module
>>> ==========
>>>
>>> NFQ is the new and improved way to process iptables packets:
>>>
>>>     ./snort --daq nfq \
>>>         [--daq-var device=<dev>] \
>>>         [--daq-var proto=<proto>] \
>>>         [--daq-var queue=<qid>]
>>>
>>>     <dev> ::= ip | eth0, etc; default is IP injection
>>>     <proto> ::= ip4 | ip6 |; default is ip4
>>>     <qid> ::= 0..65535; default is 0
>>>
>>> *This module can not run unprivileged so ./snort -u -g will produce a
>>> warning*
>>> *and won't change user or group.*
>>>
>>> Notes on iptables are given below.
>>>
>>>
>>> *Albert Lewis*
>>>
>>> ENGINEER.SOFTWARE ENGINEERING
>>>
>>> SOURCE*fire*, Inc. now part of *Cisco*
>>>
>>> Email: allewi at ...589...
>>>
>>> From: Amal Saeed <amal.saeed at ...17680...>
>>> Date: Wednesday, November 30, 2016 at 3:33 PM
>>>
>>> To: allewi <allewi at ...589...>
>>> Cc: 'snort-users' <snort-users at lists.sourceforge.net>
>>> Subject: Re: [Snort-users] ERROR: can't find nfq DAQ
>>>
>>> I have full permissions though (see attached)?
>>>
>>> On Wed, Nov 30, 2016 at 3:19 PM, Amal Saeed <amal.saeed at ...17680...>
>>> wrote:
>>>
>>>> I'm running as a regular user.
>>>>
>>>> On Wed, Nov 30, 2016 at 3:17 PM, Al Lewis (allewi) <allewi at ...589...>
>>>> wrote:
>>>>
>>>>> Permissions on the directory wouldn’t be something snort can control.
>>>>>
>>>>> Who are you running snort as? root? regular user?
>>>>>
>>>>>
>>>>>
>>>>> *Albert Lewis*
>>>>>
>>>>> ENGINEER.SOFTWARE ENGINEERING
>>>>>
>>>>> SOURCE*fire*, Inc. now part of *Cisco*
>>>>>
>>>>> Email: allewi at ...589...
>>>>>
>>>>> From: Amal Saeed <amal.saeed at ...17680...>
>>>>> Date: Wednesday, November 30, 2016 at 3:05 PM
>>>>> To: allewi <allewi at ...589...>
>>>>> Cc: 'snort-users' <snort-users at lists.sourceforge.net>
>>>>> Subject: Re: [Snort-users] ERROR: can't find nfq DAQ
>>>>>
>>>>> So I just ran:  *snort -i wlan0 -c /etc/snort/snort.conf -T*
>>>>> and Snort successfully validated my configuration.
>>>>>
>>>>> I've tried changing permission on my /var/log/snort directory, but it
>>>>> doesn't take the changes.
>>>>>
>>>>> On Wed, Nov 30, 2016 at 2:59 PM, Al Lewis (allewi) <allewi at ...589...>
>>>>> wrote:
>>>>>
>>>>>> The error is “ERROR: OpenAlertFile() => fopen() alert file
>>>>>> /var/log/snort/alert: *Permission denied*"
>>>>>>
>>>>>> Doesn’t look like snort can write to your logging directory.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Albert Lewis*
>>>>>>
>>>>>> ENGINEER.SOFTWARE ENGINEERING
>>>>>>
>>>>>> SOURCE*fire*, Inc. now part of *Cisco*
>>>>>>
>>>>>> Email: allewi at ...589...
>>>>>>
>>>>>> From: Amal Saeed <amal.saeed at ...17680...>
>>>>>> Date: Wednesday, November 30, 2016 at 2:51 PM
>>>>>> To: 'snort-users' <snort-users at lists.sourceforge.net>
>>>>>> Subject: [Snort-users] ERROR: can't find nfq DAQ
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I'm trying to run Snort in inline mode (-Q), but I kept running into
>>>>>> this problem, where it says can't find nfq DAQ even though I see nfq listed
>>>>>> in my --daq-list. I've tried troubleshooting with every source I found
>>>>>> online, but now I get a different error.
>>>>>>
>>>>>> If I run: *snort --daq nfq -Q -c /etc/snort/snort.conf*
>>>>>> I get:
>>>>>> Log directory = /var/log/snort
>>>>>> ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert:
>>>>>> Permission denied
>>>>>> Fatal Error, Quitting..
>>>>>>
>>>>>> If I run: *snort -T -c /etc/snort/snort.conf*
>>>>>> I get:
>>>>>> [ Number of patterns truncated to 20 bytes: 497 ]
>>>>>> ERROR: Active response: can't open ip!
>>>>>> Fatal Error, Quitting..
>>>>>>
>>>>>> I have an IP address and I can ping myself/others and receive pings
>>>>>> with no issue.
>>>>>>
>>>>>> Please advise on what I can do to resolve this, thank you!
>>>>>>
>>>>>> --
>>>>>> Amal Saeed
>>>>>> Simmons College '17, B.S. Computer Science & Information Technology
>>>>>> Secretary, 2017 Class Council
>>>>>> Co-Vice President, Computer Science & Mathematics Liaison
>>>>>> Technology Assistant, *Simmons Technology Support Center*
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Amal Saeed
>>>>> Simmons College '17, B.S. Computer Science & Information Technology
>>>>> Secretary, 2017 Class Council
>>>>> Co-Vice President, Computer Science & Mathematics Liaison
>>>>> Technology Assistant, *Simmons Technology Support Center*
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Amal Saeed
>>>> Simmons College '17, B.S. Computer Science & Information Technology
>>>> Secretary, 2017 Class Council
>>>> Co-Vice President, Computer Science & Mathematics Liaison
>>>> Technology Assistant, *Simmons Technology Support Center*
>>>>
>>>
>>>
>>>
>>> --
>>> Amal Saeed
>>> Simmons College '17, B.S. Computer Science & Information Technology
>>> Secretary, 2017 Class Council
>>> Co-Vice President, Computer Science & Mathematics Liaison
>>> Technology Assistant, *Simmons Technology Support Center*
>>>
>>
>>
>>
>> --
>> Amal Saeed
>> Simmons College '17, B.S. Computer Science & Information Technology
>> Secretary, 2017 Class Council
>> Co-Vice President, Computer Science & Mathematics Liaison
>> Technology Assistant, *Simmons Technology Support Center*
>>
>> ------------------------------------------------------------
>> ------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>


-- 
Amal Saeed
Simmons College '17, B.S. Computer Science & Information Technology
Secretary, 2017 Class Council
Co-Vice President, Computer Science & Mathematics Liaison
Technology Assistant, *Simmons Technology Support Center*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161130/5a2d58a4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2016-11-30 at 6.42.58 PM.png
Type: image/png
Size: 192149 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161130/5a2d58a4/attachment.png>


More information about the Snort-users mailing list