[Oisf-devel] Suricata IPFW IPS mode on FreeBSD and broadcast packets.
Nikolay Denev
ndenev at gmail.com
Sat Dec 22 10:27:17 UTC 2012
Hi,
I'm experimenting running suricata in inline mode using IPFW divert on FreeBSD.
And I had many errors on the console like these:
[100108] 22/12/2012 -- 08:59:32 - (source-ipfw.c:684) <Info> (VerdictIPFWThreadExitStats) -- IPFW Processing: - (Verdict0) Pkts accepted 4890, dropped 120
[100048] 22/12/2012 -- 08:59:32 - (tm-threads.c:2058) <Info> (TmThreadRestartThread) -- thread "Verdict0" restarted
[100108] 22/12/2012 -- 09:00:23 - (source-ipfw.c:541) <Warning> (IPFWSetVerdict) -- [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission denied
[100108] 22/12/2012 -- 09:00:23 - (source-ipfw.c:684) <Info> (VerdictIPFWThreadExitStats) -- IPFW Processing: - (Verdict0) Pkts accepted 4198, dropped 113
[100048] 22/12/2012 -- 09:00:23 - (tm-threads.c:2058) <Info> (TmThreadRestartThread) -- thread "Verdict0" restarted
[100108] 22/12/2012 -- 09:00:34 - (source-ipfw.c:541) <Warning> (IPFWSetVerdict) -- [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission denied
[100108] 22/12/2012 -- 09:00:34 - (source-ipfw.c:684) <Info> (VerdictIPFWThreadExitStats) -- IPFW Processing: - (Verdict0) Pkts accepted 854, dropped 23
[100048] 22/12/2012 -- 09:00:34 - (tm-threads.c:2058) <Info> (TmThreadRestartThread) -- thread "Verdict0" restarted
[100108] 22/12/2012 -- 09:00:43 - (source-ipfw.c:541) <Warning> (IPFWSetVerdict) -- [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission denied
[100108] 22/12/2012 -- 09:00:43 - (source-ipfw.c:684) <Info> (VerdictIPFWThreadExitStats) -- IPFW Processing: - (Verdict0) Pkts accepted 849, dropped 27
[100048] 22/12/2012 -- 09:00:43 - (tm-threads.c:2058) <Info> (TmThreadRestartThread) -- thread "Verdict0" restarted
[100108] 22/12/2012 -- 09:01:17 - (source-ipfw.c:541) <Warning> (IPFWSetVerdict) -- [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission denied
[100108] 22/12/2012 -- 09:01:17 - (source-ipfw.c:684) <Info> (VerdictIPFWThreadExitStats) -- IPFW Processing: - (Verdict0) Pkts accepted 2505, dropped 96
[100048] 22/12/2012 -- 09:01:17 - (tm-threads.c:2058) <Info> (TmThreadRestartThread) -- thread "Verdict0" restarted
[100108] 22/12/2012 -- 09:01:52 - (source-ipfw.c:541) <Warning> (IPFWSetVerdict) -- [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission denied
[100108] 22/12/2012 -- 09:01:52 - (source-ipfw.c:684) <Info> (VerdictIPFWThreadExitStats) -- IPFW Processing: - (Verdict0) Pkts accepted 2626, dropped 95
[100048] 22/12/2012 -- 09:01:52 - (tm-threads.c:2058) <Info> (TmThreadRestartThread) -- thread "Verdict0" restarted
[100108] 22/12/2012 -- 09:02:48 - (source-ipfw.c:541) <Warning> (IPFWSetVerdict) -- [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission denied
[100108] 22/12/2012 -- 09:02:48 - (source-ipfw.c:684) <Info> (VerdictIPFWThreadExitStats) -- IPFW Processing: - (Verdict0) Pkts accepted 4649, dropped 98
[100048] 22/12/2012 -- 09:02:48 - (tm-threads.c:2045) <Error> (TmThreadRestartThread) -- [ERRCODE: SC_ERR_TM_THREADS_ERROR(136)] - thread restarts exceeded threshold limit for thread "Verdict0"
Turns out, sendto() reruns EACCESS when sending packets with broadcast address as destination without SO_BROADCAST flag set on the socket.
I've applied this patch and now there are no more messages like these and suricata does not crash anymore.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121222/14b48dc7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-set-SO_BROADCAST-on-the-divert-socket-so-that-broadc.patch
Type: application/octet-stream
Size: 1471 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121222/14b48dc7/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121222/14b48dc7/attachment-0001.html>
More information about the Oisf-devel
mailing list