[Oisf-users] [Oisf-devel] Suricata - Write to ipfw divert socket failed
Özkan KIRIK
ozkan.kirik at gmail.com
Thu Mar 6 08:48:01 UTC 2014
Hi Eric,
I addded a printf into source-ipfw.c line 557.
PrintInet(AF_INET, (const void *)
GET_IPV4_SRC_ADDR_PTR(p), srcip, srcip_len);
PrintInet(AF_INET, (const void *)
GET_IPV4_DST_ADDR_PTR(p), dstip, dstip_len);
printf( "fd: %d, data_p: %p, length: %u ", nq->fd,
GET_PKT_DATA(p),GET_PKT_LEN(p) );
printf( "src ip : %s ", srcip );
printf( "dst ip : %s\n", dstip );
But i saw that, these packets are routable packets. I don't think that
problem is about non routable packages.
fd: 7, data_p: 0x8045ce578, length: 95 src ip : 10.2.2.10 dst ip :
92.83.122.63
6/3/2014 -- 10:41:24 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
to ipfw divert socket failed: Permission denied
6/3/2014 -- 10:41:24 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
9118, dropped 3
6/3/2014 -- 10:41:24 - <Info> - thread "Verdict0" restarted
fd: 7, data_p: 0x8045eeb78, length: 58 src ip : 10.2.2.10 dst ip :
116.193.135.211
6/3/2014 -- 10:41:24 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
to ipfw divert socket failed: Permission denied
6/3/2014 -- 10:41:24 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
35, dropped 0
6/3/2014 -- 10:41:24 - <Info> - thread "Verdict0" restarted
fd: 7, data_p: 0x8044cc378, length: 58 src ip : 10.2.2.10 dst ip :
220.255.54.21
6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
to ipfw divert socket failed: Permission denied
6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
8877, dropped 0
6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
fd: 7, data_p: 0x8044cd178, length: 58 src ip : 10.2.2.10 dst ip :
220.255.1.178
6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
to ipfw divert socket failed: Permission denied
6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
1, dropped 0
6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
fd: 7, data_p: 0x8044cdf78, length: 58 src ip : 10.2.2.10 dst ip :
223.29.197.237
6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
to ipfw divert socket failed: Permission denied
6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
1, dropped 0
6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
fd: 7, data_p: 0x8044ced78, length: 58 src ip : 10.2.2.10 dst ip :
109.161.142.206
6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
to ipfw divert socket failed: Permission denied
6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
1, dropped 0
6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
fd: 7, data_p: 0x8044cfb78, length: 58 src ip : 10.2.2.10 dst ip :
110.175.191.10
6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
to ipfw divert socket failed: Permission denied
6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
1, dropped 0
6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
fd: 7, data_p: 0x8044d0978, length: 58 src ip : 10.2.2.10 dst ip :
110.74.201.253
6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
to ipfw divert socket failed: Permission denied
6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
1, dropped 0
6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
fd: 7, data_p: 0x8044d1778, length: 58 src ip : 10.2.2.10 dst ip :
110.175.99.68
6/3/2014 -- 10:41:43 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
to ipfw divert socket failed: Permission denied
6/3/2014 -- 10:41:43 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
1, dropped 0
6/3/2014 -- 10:41:43 - <Info> - thread "Verdict0" restarted
fd: 7, data_p: 0x8044c2978, length: 60 src ip : 10.2.2.10 dst ip :
224.0.0.252
6/3/2014 -- 10:41:53 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] - Write
to ipfw divert socket failed: Permission denied
6/3/2014 -- 10:41:53 - <Info> - IPFW Processing: - (Verdict0) Pkts accepted
6114, dropped 0
6/3/2014 -- 10:41:53 - <Info> - thread "Verdict0" restarted
On Thu, Mar 6, 2014 at 9:17 AM, Özkan KIRIK <ozkan.kirik at gmail.com> wrote:
> ipfw -ad list
>
> 00004 0 0 deny ip from any to any MAC
> e8:03:9a:0f:74:7b any
> 00005 63668675 49628511386 allow ip from any to any layer2
> 00100 25849 4724396 divert 8000 all from any to 10.2.2.10 not
> layer2
> 00200 26579 5122809 divert 8000 all from 10.2.2.10 to any not
> layer2
> 00300 365312 25436015 skipto 600 udp from any to any dst-port
> 53,1812
> 00400 334817 71431398 skipto 600 udp from any 53,1812 to any
> 00500 77815 5612395 deny udp from any to any
> 00600 4928083 1457516245 nat tablearg ip from table(10) to any via
> igb1 // VLAN NAT
> 00600 13655296 16815414254 nat tablearg ip from any to table(11) via
> igb1 // VLAN NAT
> ##Dynamic rules:
>
>
>
> On Thu, Mar 6, 2014 at 1:02 AM, Eric Leblond <eric at regit.org> wrote:
>
>> Hi,
>>
>> On Thu, 2014-03-06 at 00:55 +0200, Özkan KIRIK wrote:
>> > I tried to compile both clang and gcc. Result was same.
>> >
>> > This error appears sometimes. Not for all packets.
>> >
>> > There is only one rule : pass ip any any -> any any
>>
>> There is an old memory coming back to me. Not sure but I think this is
>> linked with non routable packet reaching the filter (packet going to the
>> box for example). And there is a failure at reinject because the packet
>> can't be send.
>>
>> BR,
>>
>> >
>> >
>> > 6 Mar 2014 00:49 tarihinde "Özkan KIRIK" <ozkan.kirik at gmail.com>
>> > yazdı:
>> > Hi,
>> >
>> > I was running suricata with these arguments;
>> >
>> > suricata -vv -d 8000
>> >
>> > ipfw add divert 8000 all from any to 10.2.2.10
>> > ipfw add divert 8000 all from 10.2.2.10 to any
>> >
>> > 6 Mar 2014 00:45 tarihinde "Shirkdog" <shirkdog at gmail.com>
>> > yazdı:
>> > Do you have ipfw setup with the divert socket set to a
>> > port?
>> >
>> > On Mar 5, 2014 5:17 PM, "Özkan KIRIK"
>> > <ozkan.kirik at gmail.com> wrote:
>> > Hi,
>> >
>> >
>> > I'm using FreeBSD 10 ipfw and ipdivert
>> > enabled.
>> > I tried suricata v.1.4.6, v1.4.7 and also
>> > 2.0rc1.
>> >
>> >
>> > All versions throws this error sometimes
>> > "<Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)]
>> > - Write to ipfw divert socket failed:
>> > Permission denied"
>> > After a while, thread restart threshold
>> > exceeded and suricata completely shutdown.
>> >
>> >
>> > I was diverted only 1 host to suricata. But
>> > still gives this error.
>> >
>> >
>> > It's strange, I inspected the source-ipfw.c
>> > file. The problem about injecting packet back
>> > to divert socket.
>> >
>> >
>> > errno = 13 - EACCESS.
>> >
>> >
>> > I saw that SO_BROADCAST option was set to
>> > socket.
>> >
>> >
>> > How can i debug this situation, or any
>> > solutions?
>> >
>> >
>> > Best regards
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list:
>> > oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> >
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > OISF: http://www.openinfosecfoundation.org/
>> > _______________________________________________
>> > Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Participate:
>> http://suricata-ids.org/participate/
>> > List:
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> > Redmine: https://redmine.openinfosecfoundation.org/
>>
>> --
>> Eric Leblond <eric at regit.org>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140306/577b9bb7/attachment-0002.html>
More information about the Oisf-users
mailing list