Hello all;
I tested 3.2.0-4 kernel on Debian 7.0 Wheezy operating system. Debian Wheezy being used 3.2.0-4 kernel.
# uname -ar
Linux snort.test.lan 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2+deb7u2 x86_64 GNU/Linux kernel version
I understand; the new kernel version no used "ip_queue" module, right? I run Snort "IPQ" mode and error:
--
ipq DAQ configured to inline.
ERROR: Can't initialize DAQ ipq (-1) - ipq_daq_initialize: ipq_create_handle error Unable to create netlink socket
Fatal Error, Quitting..
--
I tested "NFQ" mode Snort his way to work and worked. I think; new kernel not use "IPQ" module.
# modprobe ip_queue
ERROR: could not insert 'ip_queue': Device or resource busy
# insmod ip_queue
Error: could not load module ip_queue: No such file or directory
# insmod /lib/modules/3.2.0-4-amd64/kernel/net/ipv4/netfilter/ip_queue.ko
Error: could not insert module /lib/modules/3.2.0-4-amd64/kernel/net/ipv4/netfilter/ip_queue.ko: Device or resource busy
and syslog message:
Jun 8 02:21:54 snort kernel: [ 3382.028421] ip_queue: failed to register queue handler
Jun 8 02:27:35 snort kernel: [ 3722.151772] ip_queue: failed to register queue handler
Jun 8 02:27:52 snort kernel: [ 3739.115550] ip_queue: failed to register queue handler
I want to share this information with you.
Best Regards
Ozgur Karatas