[Oisf-users] Suricata - Write to ipfw divert socket failed

Shirkdog shirkdog at gmail.com
Wed Mar 5 22:58:39 UTC 2014


What does the following say?

ipfw -ad list
 On Mar 5, 2014 5:55 PM, "Özkan KIRIK" <ozkan.kirik at gmail.com> wrote:

> I tried to compile both clang and gcc. Result was same.
>
> This error appears sometimes. Not for all packets.
>
> There is only one rule : pass ip any any -> any any
>  6 Mar 2014 00:49 tarihinde "Özkan KIRIK" <ozkan.kirik at gmail.com> yazdı:
>
>> Hi,
>>
>> I was running suricata with these arguments;
>>
>> suricata -vv -d 8000
>>
>> ipfw add divert 8000 all from any to 10.2.2.10
>> ipfw add divert 8000 all from 10.2.2.10 to any
>> 6 Mar 2014 00:45 tarihinde "Shirkdog" <shirkdog at gmail.com> yazdı:
>>
>>> Do you have ipfw setup with the divert socket set to a port?
>>> On Mar 5, 2014 5:17 PM, "Özkan KIRIK" <ozkan.kirik at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm using FreeBSD 10 ipfw and ipdivert enabled.
>>>> I tried suricata v.1.4.6, v1.4.7 and also 2.0rc1.
>>>>
>>>> All versions throws this error sometimes "<Warning> - [ERRCODE:
>>>> SC_WARN_IPFW_XMIT(84)] - Write to ipfw divert socket failed: Permission
>>>> denied"
>>>> After a while, thread restart threshold exceeded and suricata
>>>> completely shutdown.
>>>>
>>>> I was diverted only 1 host to suricata. But still gives this error.
>>>>
>>>> It's strange, I inspected the source-ipfw.c file. The problem about
>>>> injecting packet back to divert socket.
>>>>
>>>> errno = 13 - EACCESS.
>>>>
>>>> I saw that SO_BROADCAST option was set to socket.
>>>>
>>>> How can i debug this situation, or any solutions?
>>>>
>>>> Best regards
>>>>
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support:
>>>> http://suricata-ids.org/support/
>>>> List:
>>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> OISF: http://www.openinfosecfoundation.org/
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140305/f64dac31/attachment-0002.html>


More information about the Oisf-users mailing list