[Snort-users] Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket

Ricky Huang

unread,

Mar 8, 2013, 3:03:29 PM3/8/13

to

Hello all,

In an attempt to run Snort in inline mode (IPS), I set DAQ of my Snort to be IPFW. At first it refuse to start with the error:

$ snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf -N -Q --daq ipfw --daq-mode inline

[…]

ERROR: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket (Operation not permitted)
!
Fatal Error, Quitting..

(full log attached, snort.ipfw.log)

A little Googling shows this to be an issue of IPFW requiring root to start (http://seclists.org/snort/2013/q1/803).

Fine. So I start the snort with root:wheel and got another flavor of the ipfw_daq_start error:

snort -i igb0 -u root -g wheel -c /usr/local/etc/snort/snort.conf -N -Q --daq ipfw --daq-mode inline
[…]
ERROR: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket (Protocol not supported)
!
Fatal Error, Quitting..

(full log attached, snort.ipfw.root.log)

At first I am guessing it has to with the note on Snort documentation (http://manual.snort.org/node7.html#SECTION00256000000000000000):

* IPFW only supports ip4 traffic.

So I went through my snort.conf and turn off the only two things referring to ipv6:

#preprocessor normalize_ip6
#preprocessor normalize_icmp6

And I am still getting the same "Protocol not supported" error (full log attached, snort.ipfw.root.noip6.log).

I am stumped…

BTW, is there another DAQ choice on FreeBSD 9.0 for inline operation? Looking in the DAQ library dir:

# ls -1 /usr/local/lib/daq/
daq_dump.la
daq_dump.so
daq_ipfw.la
daq_ipfw.so
daq_pcap.la
daq_pcap.so

It doesn't seem like I have many choices.

Thanks in advance!

Lawrence Teo

unread,

Mar 8, 2013, 3:29:46 PM3/8/13

to

On Fri, Mar 08, 2013 at 12:03:29PM -0800, Ricky Huang wrote:
> Hello all,
>
> In an attempt to run Snort in inline mode (IPS), I set DAQ of my Snort to be IPFW. At first it refuse to start with the error:
> >
>
> > $ snort -i igb0 -u snort -g snort -c /usr/local/etc/snort/snort.conf -N -Q --daq ipfw --daq-mode inline
>

> > [?]

>
> > ERROR: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket (Operation not permitted)
> > !
> > Fatal Error, Quitting..
> (full log attached, snort.ipfw.log)
>
> A little Googling shows this to be an issue of IPFW requiring root to start (http://seclists.org/snort/2013/q1/803).

If you use my patch from that post, you should be able to use IPFW
without root.

> Fine. So I start the snort with root:wheel and got another flavor of the ipfw_daq_start error:
> >
> > snort -i igb0 -u root -g wheel -c /usr/local/etc/snort/snort.conf -N -Q --daq ipfw --daq-mode inline

> > [?]

> > ERROR: Can't start DAQ (-1) - ipfw_daq_start: can't create divert socket (Protocol not supported)
> > !
> > Fatal Error, Quitting..
> (full log attached, snort.ipfw.root.log)

I don't use FreeBSD but from FreeBSD's errno(2) man page, "Protocol not
supported" sounds like the kernel is missing support for divert sockets:

43 EPROTONOSUPPORT Protocol not supported. The protocol has not
been configured into the system or no implementation for it
exists.

The DAQ README says that you'll need to recompile the kernel to enable
support for divert sockets by placing the following lines in the
kernel config:

options IPFIREWALL
options IPDIVERT

The DAQ README also shows sample ipfw commands that you can use, e.g.
"ipfw add 75 divert 8000 icmp from any to any". Note that 8000 is the
default divert port in the IPFW DAQ; if you change it to something else
like 5000, you'll need to start Snort with an additional command-line
argument: --daq-var port=5000

> At first I am guessing it has to with the note on Snort documentation (http://manual.snort.org/node7.html#SECTION00256000000000000000):
> >
> > * IPFW only supports ip4 traffic.
>
> So I went through my snort.conf and turn off the only two things referring to ipv6:
> >
> > #preprocessor normalize_ip6
> > #preprocessor normalize_icmp6
>
> And I am still getting the same "Protocol not supported" error (full log attached, snort.ipfw.root.noip6.log).
>

> I am stumped?

>
> BTW, is there another DAQ choice on FreeBSD 9.0 for inline operation? Looking in the DAQ library dir:
> >
> > # ls -1 /usr/local/lib/daq/
> > daq_dump.la
> > daq_dump.so
> > daq_ipfw.la
> > daq_ipfw.so
> > daq_pcap.la
> > daq_pcap.so
>
> It doesn't seem like I have many choices.

I think IPFW is the only choice for inline operation on the BSDs.
>
>
> Thanks in advance!

Hope this helps,
Lawrence

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Ricky Huang

unread,

Mar 11, 2013, 6:53:38 PM3/11/13

to

On Mar 8, 2013, at 12:29 PM, Lawrence Teo <lt...@lteo.net> wrote:

[…]

The DAQ README says that you'll need to recompile the kernel to enable
support for divert sockets by placing the following lines in the
kernel config:

options IPFIREWALL
options IPDIVERT

Thanks for the idea Lawrence. I eventually used the loadable kernel modules by adding firewall_enable="YES" in /etc/rc.conf and ipdivert_load="YES" in /boot/loader.conf instead of recompiling the kernel. Your suggestion pointed me in the correct direction.

The DAQ README also shows sample ipfw commands that you can use, e.g.
"ipfw add 75 divert 8000 icmp from any to any". Note that 8000 is the
default divert port in the IPFW DAQ; if you change it to something else
like 5000, you'll need to start Snort with an additional command-line
argument: --daq-var port=5000

[…]

Can you please refer me to the DAQ README documentation? Snort User Manual 2.9.4 "1.5 Packet Acquisition" (http://manual.snort.org/node7.html) is the closest thing I found and I don't see the "ipfw add…" example you referred

Thanks again!

Russ Combs

unread,

Mar 12, 2013, 12:26:57 PM3/12/13

to

On Mon, Mar 11, 2013 at 6:53 PM, Ricky Huang <rhuan...@gmail.com> wrote:

On Mar 8, 2013, at 12:29 PM, Lawrence Teo <lt...@lteo.net> wrote:

[…]

The DAQ README says that you'll need to recompile the kernel to enable
support for divert sockets by placing the following lines in the
kernel config:

options IPFIREWALL
options IPDIVERT

Thanks for the idea Lawrence. I eventually used the loadable kernel modules by adding firewall_enable="YES" in /etc/rc.conf and ipdivert_load="YES" in /boot/loader.conf instead of recompiling the kernel. Your suggestion pointed me in the correct direction.

Thanks for reporting your resolution. I'll add that to the DAQ README.

The DAQ README also shows sample ipfw commands that you can use, e.g.
"ipfw add 75 divert 8000 icmp from any to any". Note that 8000 is the
default divert port in the IPFW DAQ; if you change it to something else
like 5000, you'll need to start Snort with an additional command-line
argument: --daq-var port=5000
[…]

Can you please refer me to the DAQ README documentation? Snort User Manual 2.9.4 "1.5 Packet Acquisition" (http://manual.snort.org/node7.html) is the closest thing I found and I don't see the "ipfw add…" example you referred

The DAQ REAME is in the DAQ tarball (not to be confused with README.daq which is in the Snort tarball).

Thanks again!

Ricky Huang

unread,

Mar 12, 2013, 1:24:58 PM3/12/13

to

On Mar 12, 2013, at 9:26 AM, Russ Combs <rco...@sourcefire.com> wrote:

On Mon, Mar 11, 2013 at 6:53 PM, Ricky Huang <rhuan...@gmail.com> wrote:

On Mar 8, 2013, at 12:29 PM, Lawrence Teo <lt...@lteo.net> wrote:

[…]

The DAQ README says that you'll need to recompile the kernel to enable
support for divert sockets by placing the following lines in the
kernel config:

options IPFIREWALL
options IPDIVERT

Thanks for the idea Lawrence. I eventually used the loadable kernel modules by adding firewall_enable="YES" in /etc/rc.conf and ipdivert_load="YES" in /boot/loader.conf instead of recompiling the kernel. Your suggestion pointed me in the correct direction.

Thanks for reporting your resolution. I'll add that to the DAQ README.

Hello Russ, below are the actual lines:

/etc/rc.conf

firewall_enable="YES"

firewall_type="OPEN" # BSD deny all traffic by default, you'll get locked out without this!

/boot/loader.conf

ipfw_load="YES"

ipdivert_load="YES"

The DAQ README also shows sample ipfw commands that you can use, e.g.
"ipfw add 75 divert 8000 icmp from any to any". Note that 8000 is the
default divert port in the IPFW DAQ; if you change it to something else
like 5000, you'll need to start Snort with an additional command-line
argument: --daq-var port=5000
[…]

Can you please refer me to the DAQ README documentation? Snort User Manual 2.9.4 "1.5 Packet Acquisition" (http://manual.snort.org/node7.html) is the closest thing I found and I don't see the "ipfw add…" example you referred

The DAQ REAME is in the DAQ tarball (not to be confused with README.daq which is in the Snort tarball).

Ah, I used DAQ from BSD ports so I was unaware of this. Thank you!

BTW, is there a documentation somewhere that outlines how Snort is setup as a IPS?