[Oisf-users] suricata reject rule

Vieri rentorbuy at yahoo.com
Thu Mar 2 13:38:21 UTC 2017

----- Original Message -----
From: Andreas Herz <andi at geekosphere.org>

>> 28/2/2017 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_LIBNET_INIT(144)] - libnet_init failed: 

>> libnet_open_raw4(): SOCK_RAW allocation failed: Operation not permitted>> 28/2/2017 -- 13:21:30 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread TX#02 failed
>> Why is there a problem accessing SOCK_RAW if the suricata process is launched (and drops as) as root?
> Is there anything else in any system log file related to that?


>> I know it's simpler not to specify --user/--group=root but I'm asking because I was also hoping to 

>> run Suricata with reject rules and launching the main process with --user=/--group=unpriviledged, as 

>> I'm already doing with "drop" rules.>
> You can also try to define that within the configuration .yaml file and

> see what happens then. Might be a bug with the --user parameter.

I removed --user/--group and defined the "run-as:" section with root user and group.
The result was the same (SOCK_RAW allocation failed: Operation not permitted).
>> However, the curl client connection is not being rejected, but dropped.
>> The client is stuck connecting when it should have been actively reset.>
> What do you see in the stats.log at that point?

I disabled the stats.log.
I will need to re-enable it.


More information about the Oisf-users mailing list