Snort mailing list archives
Re: ERROR: can't find nfq DAQ
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Wed, 30 Nov 2016 21:15:20 +0000
Couple of things to try as a test. 1) try running it as root (for permissions). 2) create the alert file then 3) run snort without logging enabled When you start snort the user has to have elevated privileges. So a regular use may not cut it.. See the DAQ readme: NFQ Module ========== NFQ is the new and improved way to process iptables packets: ./snort --daq nfq \ [--daq-var device=<dev>] \ [--daq-var proto=<proto>] \ [--daq-var queue=<qid>] <dev> ::= ip | eth0, etc; default is IP injection <proto> ::= ip4 | ip6 |; default is ip4 <qid> ::= 0..65535; default is 0 This module can not run unprivileged so ./snort -u -g will produce a warning and won't change user or group. Notes on iptables are given below. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Amal Saeed <amal.saeed () simmons edu<mailto:amal.saeed () simmons edu>> Date: Wednesday, November 30, 2016 at 3:33 PM To: allewi <allewi () cisco com<mailto:allewi () cisco com>> Cc: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] ERROR: can't find nfq DAQ I have full permissions though (see attached)? On Wed, Nov 30, 2016 at 3:19 PM, Amal Saeed <amal.saeed () simmons edu<mailto:amal.saeed () simmons edu>> wrote: I'm running as a regular user. On Wed, Nov 30, 2016 at 3:17 PM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote: Permissions on the directory wouldn’t be something snort can control. Who are you running snort as? root? regular user? Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Amal Saeed <amal.saeed () simmons edu<mailto:amal.saeed () simmons edu>> Date: Wednesday, November 30, 2016 at 3:05 PM To: allewi <allewi () cisco com<mailto:allewi () cisco com>> Cc: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] ERROR: can't find nfq DAQ So I just ran: snort -i wlan0 -c /etc/snort/snort.conf -T and Snort successfully validated my configuration. I've tried changing permission on my /var/log/snort directory, but it doesn't take the changes. On Wed, Nov 30, 2016 at 2:59 PM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote: The error is “ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied" Doesn’t look like snort can write to your logging directory. Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Amal Saeed <amal.saeed () simmons edu<mailto:amal.saeed () simmons edu>> Date: Wednesday, November 30, 2016 at 2:51 PM To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [Snort-users] ERROR: can't find nfq DAQ Hello, I'm trying to run Snort in inline mode (-Q), but I kept running into this problem, where it says can't find nfq DAQ even though I see nfq listed in my --daq-list. I've tried troubleshooting with every source I found online, but now I get a different error. If I run: snort --daq nfq -Q -c /etc/snort/snort.conf I get: Log directory = /var/log/snort ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: Permission denied Fatal Error, Quitting.. If I run: snort -T -c /etc/snort/snort.conf I get: [ Number of patterns truncated to 20 bytes: 497 ] ERROR: Active response: can't open ip! Fatal Error, Quitting.. I have an IP address and I can ping myself/others and receive pings with no issue. Please advise on what I can do to resolve this, thank you! -- Amal Saeed Simmons College '17, B.S. Computer Science & Information Technology Secretary, 2017 Class Council Co-Vice President, Computer Science & Mathematics Liaison Technology Assistant, Simmons Technology Support Center -- Amal Saeed Simmons College '17, B.S. Computer Science & Information Technology Secretary, 2017 Class Council Co-Vice President, Computer Science & Mathematics Liaison Technology Assistant, Simmons Technology Support Center -- Amal Saeed Simmons College '17, B.S. Computer Science & Information Technology Secretary, 2017 Class Council Co-Vice President, Computer Science & Mathematics Liaison Technology Assistant, Simmons Technology Support Center -- Amal Saeed Simmons College '17, B.S. Computer Science & Information Technology Secretary, 2017 Class Council Co-Vice President, Computer Science & Mathematics Liaison Technology Assistant, Simmons Technology Support Center
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- ERROR: can't find nfq DAQ Amal Saeed (Nov 30)
- Re: ERROR: can't find nfq DAQ Al Lewis (allewi) (Nov 30)
- Re: ERROR: can't find nfq DAQ Amal Saeed (Dec 01)
- Re: ERROR: can't find nfq DAQ Al Lewis (allewi) (Nov 30)
- Re: ERROR: can't find nfq DAQ Amal Saeed (Nov 30)
- Re: ERROR: can't find nfq DAQ Amal Saeed (Nov 30)
- Re: ERROR: can't find nfq DAQ Al Lewis (allewi) (Nov 30)
- Re: ERROR: can't find nfq DAQ Amal Saeed (Nov 30)
- Re: ERROR: can't find nfq DAQ Marcin Dulak (Nov 30)
- Re: ERROR: can't find nfq DAQ Amal Saeed (Dec 01)
- Re: ERROR: can't find nfq DAQ wkitty42 (Dec 01)
- Re: ERROR: can't find nfq DAQ Amal Saeed (Dec 08)
- Re: ERROR: can't find nfq DAQ Amal Saeed (Dec 01)
- Re: ERROR: can't find nfq DAQ Al Lewis (allewi) (Nov 30)