[Oisf-users] suricata reject rule
Vieri
rentorbuy at yahoo.com
Thu Mar 2 13:38:21 UTC 2017
----- Original Message -----
From: Andreas Herz <andi at geekosphere.org>
>
>> 28/2/2017 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_LIBNET_INIT(144)] - libnet_init failed:
>> libnet_open_raw4(): SOCK_RAW allocation failed: Operation not permitted>> 28/2/2017 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread TX#02 failed
>>
>> Why is there a problem accessing SOCK_RAW if the suricata process is launched (and drops as) as root?
>
> Is there anything else in any system log file related to that?
Nothing.
>> I know it's simpler not to specify --user/--group=root but I'm asking because I was also hoping to
>> run Suricata with reject rules and launching the main process with --user=/--group=unpriviledged, as
>> I'm already doing with "drop" rules.>
> You can also try to define that within the configuration .yaml file and
> see what happens then. Might be a bug with the --user parameter.
I removed --user/--group and defined the "run-as:" section with root user and group.
The result was the same (SOCK_RAW allocation failed: Operation not permitted).
>> However, the curl client connection is not being rejected, but dropped.
>> The client is stuck connecting when it should have been actively reset.>
> What do you see in the stats.log at that point?
I disabled the stats.log.
I will need to re-enable it.
Vieri
More information about the Oisf-users
mailing list