[Oisf-users] suricata reject rule

Andreas Herz andi at geekosphere.org
Wed Mar 1 21:30:10 UTC 2017

On 28/02/17 at 12:44, Vieri wrote:
> 28/2/2017 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_LIBNET_INIT(144)] - libnet_init failed: libnet_open_raw4(): SOCK_RAW allocation failed: Operation not permitted
> 28/2/2017 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread TX#02 failed
> Why is there a problem accessing SOCK_RAW if the suricata process is launched (and drops as) as root?

Is there anything else in any system log file related to that?

> I know it's simpler not to specify --user/--group=root but I'm asking because I was also hoping to run Suricata with reject rules and launching the main process with --user=/--group=unpriviledged, as I'm already doing with "drop" rules.

You can also try to define that within the configuration .yaml file and
see what happens then. Might be a bug with the --user parameter.

> However, the curl client connection is not being rejected, but dropped.
> The client is stuck connecting when it should have been actively reset.

What do you see in the stats.log at that point?

Andreas Herz

More information about the Oisf-users mailing list