[Oisf-users] Write to ipfw divert socket failed: Permission denied

Eric Leblond eric at regit.org
Thu Sep 24 11:18:55 UTC 2015 

Hello,

On Thu, 2015-09-24 at 12:27 +0200, Olivier Cochard-Labbé wrote:
> Hi,
> 
> I'm using FreeBSD (11-head) and suricata 2.0.8 in ipfw divert mode.
> This setup works great in a lab with very few IP flow (just some ping
> and manual telnet to port 80 for testing the IDS signature).
> But once deployed on real environnement, it only need one workstation
> for crashing suricata in few seconds.
> 
> Messages are these:
> 
> 23/9/2015 -- 20:49:12 - <Info> - thread "Verdict0" restarted
> 23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] 
> - Write to ipfw divert socket failed: Permission denied
> 23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts
> accepted 148, dropped 0
> 23/9/2015 -- 20:49:13 - <Info> - thread "Verdict0" restarted
> 23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] 
> - Write to ipfw divert socket failed: Permission denied
> 23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts
> accepted 43, dropped 0
> 23/9/2015 -- 20:49:13 - <Info> - thread "Verdict0" restarted
> 23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] 
> - Write to ipfw divert socket failed: Permission denied
> 23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts
> accepted 12, dropped 0
> 23/9/2015 -- 20:49:13 - <Info> - thread "Verdict0" restarted
> 23/9/2015 -- 20:49:13 - <Warning> - [ERRCODE: SC_WARN_IPFW_XMIT(84)] 
> - Write to ipfw divert socket failed: Permission denied
> 23/9/2015 -- 20:49:13 - <Info> - IPFW Processing: - (Verdict0) Pkts
> accepted 30, dropped 0
> 23/9/2015 -- 20:49:13 - <Error> - [ERRCODE:
> SC_ERR_TM_THREADS_ERROR(136)] - thread restarts exceeded threshold
> limit for thread "Verdict0"
> 

I suppose a part of the packets are correctly accepted ?

> I've found a similar problem in 2014 but without answer:
> https://lists.openinfosecfoundation.org/pipermail/oisf-users/2014-Mar
> ch/003403.html
> 
> I've create a bug report too:
> https://redmine.openinfosecfoundation.org/issues/1561
> 
> But how can I troubleshoot this problem ?

Are you using a jail or something like that or is it a plain FreeBSD
install ? (Thinking about http://lists.freebsd.org/pipermail/freebsd-ip
fw/2012-October/005230.html)

By the way, asking to ipfw guys could help as it is really OS specific.

BR,
--
Eric

> 
> Thanks
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: 
> http://oisfevents.net
-- 
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/

More information about the Oisf-users mailing list