[Oisf-users] Write to ipfw divert socket failed: Permission denied

Olivier Cochard-Labbé olivier at cochard.me
Thu Sep 24 10:27:23 UTC 2015


Hi,

I'm using FreeBSD (11-head) and suricata 2.0.8 in ipfw divert mode.
This setup works great in a lab with very few IP flow (just some ping and
manual telnet to port 80 for testing the IDS signature).
But once deployed on real environnement, it only need one workstation for
crashing suricata in few seconds.

Messages are these:

23/9/2015 -- 20:49:12 - <Info> - thread "Verdict0" restarted
23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] -
Write to ipfw divert socket failed: Permission denied
23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts
accepted 148, dropped 0
23/9/2015 -- 20:49:13 - <Info> - thread "Verdict0" restarted
23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] -
Write to ipfw divert socket failed: Permission denied
23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts
accepted 43, dropped 0
23/9/2015 -- 20:49:13 - <Info> - thread "Verdict0" restarted
23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] -
Write to ipfw divert socket failed: Permission denied
23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts
accepted 12, dropped 0
23/9/2015 -- 20:49:13 - <Info> - thread "Verdict0" restarted
23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] -
Write to ipfw divert socket failed: Permission denied
23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts
accepted 30, dropped 0
23/9/2015 -- 20:49:13 - <Error> - [ERRCODE: SC_ERR_TM_THREADS_ERROR(136)] -
thread restarts exceeded threshold limit for thread "Verdict0"

I've found a similar problem in 2014 but without answer:
https://lists.openinfosecfoundation.org/pipermail/oisf-users/2014-March/003403.html

I've create a bug report too:
https://redmine.openinfosecfoundation.org/issues/1561

But how can I troubleshoot this problem ?

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150924/855e066b/attachment.html>


More information about the Oisf-users mailing list