[Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) --[ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
oisf at rogness.net
oisf at rogness.net
Fri Jul 30 17:46:40 UTC 2010
You must specify which packets to send to suricata via an ipfw rule. For example:
ipfw divert 8000 ip from any to any via em0
This example ipfw rule instructs the kernel to send packets, of type IP, with any source/destination address, which either come in or out interface em0, to a divert socket 8000.
Suricata, configured with -d 8000, picks the packets off by listening to this divert socket 8000.
The 8000 specified in the suricata argument to -d MUST match the same value which is added in the 'ipfw divert 8000 ...' command, or suricata will not see packets from IPFW.
The -i em0 flag is not need for suricata running with IPFW divert sockets. It would only be need if you were running in IDS mode via pcap or equivalent.
Hope this helps.
Nick
Sent from my BlackBerry Smartphone provided by Alltel
-----Original Message-----
From: rmkml <rmkml at free.fr>
Sender: oisf-users-bounces at openinfosecfoundation.org
Date: Fri, 30 Jul 2010 18:50:04
To: Shant Kassardjian<shant at skylab.ca>
Cc: <oisf-users at openinfosecfoundation.org>
Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) --
[ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
Hi Shant,
maybe can help you ?:
http://www.codealias.info/technotes/freebsd_divert_sockets
..."A divert socket is a socket that can be used to alter packets before being processed by the networking stack."...
Regards
Rmkml
On Fri, 30 Jul 2010, Shant Kassardjian wrote:
> Hello Eric,
>
> Thank you for your reply, I am a bit confused as to which interface suricata monitors traffic on? I have the bridge0 interface configured for (em1, em2, ... em5)
> 5 sub interfaces and em0 which is my uplink interface.
>
> I though with -i em0 -d 8000 it would listen for traffic passing only through em0 and divert them to ipfw.
>
> Can you please explain if I don't specify an interface with -i em0 which interface will suricata pick to monitor traffic? Will suricata pass all the traffic from
> the kernel to the ipfw divert socket with the -d option?
>
> Many thanks.
>
> Regards,
> Shant K
>
>
> > Subject: Re: [Oisf-users] FreeBSD 8.0 (suricata.c:636) <Error> (main) -- [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)]
> > From: eleblond at edenwall.com
> > To: shant at skylab.ca
> > CC: oisf-users at openinfosecfoundation.org
> > Date: Fri, 30 Jul 2010 09:17:12 +0200
> >
> > Hi,
> >
> > Le vendredi 30 juillet 2010 à 02:56 +0000, Shant Kassardjian a écrit :
> > > Hello,
> > >
> > >
> > > I can't seem to start suricata on FreeBSD 8.0
> > >
> > >
> > > I have compiled with ./configure --enable-profiling --enable-ipfw
> > ...
> > >
> > > # suricata -c /usr/local/etc/suricata/suricata.yaml -i em0 -d 8000
> > > [100183] 29/7/2010 -- 22:48:49 - (suricata.c:403) <Info> (main) --
> > > This is Suricata version 1.0.1
> > > [100183] 29/7/2010 -- 22:48:49 - (suricata.c:636) <Error> (main) --
> > > [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)] - more than one run mode has
> > > been specified
> > > ...
> > >
> > >
> > >
> > > Any idea what went wrong? error message doesn't say much..
> >
> > It tell correctly the error ;)
> >
> > You've runned with options :
> > - -i em0 which enable pcap on em0
> > - -d 8000 you divert packet from rule 8000
> > Thus you've got multiple run mode instead on one. You need to choose
> > one.
> >
> > BR,
> > --
> > Éric Leblond, eleblond at edenwall.com
> > Téléphone : +33 1 40 24 65 04, Fax : +33 9 57 21 48 75
> > EdenWall, http://www.edenwall.com
>
>
More information about the Oisf-users
mailing list