[Oisf-users] Write to ipfw divert socket failed: Permission denied
Olivier Cochard-Labbé
olivier at cochard.me
Thu Sep 24 10:27:23 UTC 2015
Hi,
I'm using FreeBSD (11-head) and suricata 2.0.8 in ipfw divert mode.
This setup works great in a lab with very few IP flow (just some ping and
manual telnet to port 80 for testing the IDS signature).
But once deployed on real environnement, it only need one workstation for
crashing suricata in few seconds.
Messages are these:
23/9/2015 -- 20:49:12 - <Info> - thread "Verdict0" restarted
23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] -
Write to ipfw divert socket failed: Permission denied
23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts
accepted 148, dropped 0
23/9/2015 -- 20:49:13 - <Info> - thread "Verdict0" restarted
23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] -
Write to ipfw divert socket failed: Permission denied
23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts
accepted 43, dropped 0
23/9/2015 -- 20:49:13 - <Info> - thread "Verdict0" restarted
23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] -
Write to ipfw divert socket failed: Permission denied
23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts
accepted 12, dropped 0
23/9/2015 -- 20:49:13 - <Info> - thread "Verdict0" restarted
23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] -
Write to ipfw divert socket failed: Permission denied
23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts
accepted 30, dropped 0
23/9/2015 -- 20:49:13 - <Error> - [ERRCODE: SC_ERR_TM_THREADS_ERROR(136)] -
thread restarts exceeded threshold limit for thread "Verdict0"
I've found a similar problem in 2014 but without answer:
https://lists.openinfosecfoundation.org/pipermail/oisf-users/2014-March/003403.html
I've create a bug report too:
https://redmine.openinfosecfoundation.org/issues/1561
But how can I troubleshoot this problem ?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150924/855e066b/attachment.html>
More information about the Oisf-users
mailing list