Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 3 ipfw Multithreading Errors

    Scheduled Pinned Locked Moved IDS/IPS
    3 Posts 2 Posters 886 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cArleone
      last edited by

      Hello,

      I use snort3 run option with multithreading and daq module ipfw and port 5000 but I cant start snort3
      I was see error this

      ipfw DAQ configured to passive.
Commencing packet processing
++ [0] 
++ [1] 
++ [2] 
Can't start DAQ (-1) - ipfw_daq_start: can't bind divert socket (Address already in use)
 
Analyzer: Failed to start DAQ instance
Can't start DAQ (-1) - ipfw_daq_start: can't bind divert socket (Address already in use)
 
Analyzer: Failed to start DAQ instance
-- [0] 
-- [2]

      Can you help with this error ?

      Freebsd Versions :

      FreeBSD snort 11.2-RELEASE-p4

      Snort Versions :

      ,,_     -*> Snort++ <*-
o"  )~   Version 3.0.0 (Build 247) FreeBSD
''''    By Martin Roesch & The Snort Team
        http://snort.org/contact#team
        Copyright (C) 2014-2018 Cisco and/or its affiliates. All rights reserved.
        Copyright (C) 1998-2013 Sourcefire, Inc., et al.
        Using DAQ version 2.2.2
        Using LuaJIT version 2.0.5
        Using OpenSSL 1.0.2p  14 Aug 2018
        Using libpcap version 1.9.0-PRE-GIT
        Using PCRE version 8.41 2017-07-05
        Using ZLIB version 1.2.11
        Using FlatBuffers 1.8.0
        Using Hyperscan version 4.7.0 2018-10-03
        Using LZMA version 5.2.3

      Run Command :

      /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort/snort.lua --daq ipfw --daq-var port=5000 -l /var/log/snort -k none -A alert_full --max-packet-threads 3
      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        This is a bug within Snort3 itself. There was a thread about it posted to the Snort Development mailing list today. The Snort developers acknowledged the bug.

        By the way, Snort3 is not yet supported on pfSense. It may work for you, but everything will have to be done via the command line as the GUI package does not support Snort3.

        1 Reply Last reply Reply Quote 1
        • bmeeksB
          bmeeks
          last edited by

          Here is an additional comment on Snort3 multithreading with ipfw. I copied this from the Snort Developer mailing list. The author is one of the Snort3 developers --

          "I need to correct myself. There is a way to configure DAQ for multiple threads. Please refer to snort3 documentation section – DAQ Configuration and Modules. You will need to configure a separate port for each thread. Also, please note that snort3 doesn’t yet support load balancing internally."

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.