<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Dear friends,</div>

<div> </div>

<div>after a long period of silence I am back with another challange ;)</div>

<div>I am in the process of  migrating a server physical to virtual and I want to setup snort in the same way.</div>

<div>The goal is to setup snort inline on a single interface. As far as I know the only option is  with NFQ.</div>

<div> </div>

<div>Hence I am trying to set it up on the vserver, but it fails during initialisation.</div>

<div>However, I can use NFQUEUE with iptables on the server just fine, which makes me wonder if it is todo with the initialisation of NFQ in DAQ?</div>

<div>Anybody an idea of the innerworkings of DAQ_NFQ?</div>

<div> </div>

<div>Has anybody done something similar already? Doesnt seem to be too far fetched... I am happy to use an alternative to NFQ but I am not aware of any.</div>

<div> </div>

<div>any pointers are greatly appreciated.</div>

<div>Cheers</div>

<div>lIl</div>

<div> </div>

<div>----command:</div>

<div>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">root@...17069...:/usr/local/snort/bin# ./snort --daq nfq</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Running in packet dump mode</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">        --== Initializing Snort ==--</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Initializing Output Plugins!</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">nfq DAQ configured to passive.</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">ERROR: Can't initialize DAQ nfq (-1) - nfq_daq_initialize: failed to bind protocols for nfq</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">---strace:</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">socket(PF_NETLINK, SOCK_RAW, 12)        = 3</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">getsockname(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 0</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">getsockname(3, {sa_family=AF_NETLINK, pid=29278, groups=00000000}, [12]) = 0</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">bind(3, {sa_family=AF_NETLINK, pid=29278, groups=00000000}, 12) = 0</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">sendto(3, "\34\0\0\0\2\3\5\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\4\225\0\2", 28, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 28</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">recvfrom(3, "0\0\0\0\2\0\0\0\0\0\0\0^r\0\0\352\377\377\377\34\0\0\0\2\3\5\0\0\0\0\0"..., 8192, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 48</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">sendto(3, "\34\0\0\0\2\3\5\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\1\0\3\225\0\2", 28, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 28</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">recvfrom(3, "0\0\0\0\2\0\0\0\0\0\0\0^r\0\0\352\377\377\377\34\0\0\0\2\3\5\0\0\0\0\0"..., 8192, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 48</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">close(3)                                = 0</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">write(2, "ERROR: Can't initialize DAQ nfq "..., 93) = 93</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">write(2, "Fatal Error, Quitting..\n", 24) = 24</p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt">exit_group(1)      </p>

<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>

<div style="font-family: Verdana; font-size: 12px; line-height: 19.2000007629395px;">----- iptables targets</div>

<div style="font-family: Verdana; font-size: 12px; line-height: 19.2000007629395px;">cat /proc/net/ip_tables_targets<br/>
NFQUEUE<br/>
NFQUEUE<br/>
NFQUEUE<br/>
MARK<br/>
MARK<br/>
MARK<br/>
SET<br/>
SET<br/>
MASQUERADE<br/>
REDIRECT<br/>
LOG<br/>
DNAT<br/>
SNAT<br/>
TCPMSS<br/>
ERROR<br/>
TOS<br/>
TOS<br/>
DSCP<br/>
REJECT</div>

<div style="font-family: Verdana; font-size: 12px; line-height: 19.2000007629395px;"> </div>
</div></div></body></html>