Snort mailing list archives
Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM
From: Robert Kudyba <rkudyba () fordham edu>
Date: Wed, 22 Mar 2017 10:31:53 -0400
No but I just added it: config cs_dir: /etc/snort/rules/iplists/SNORT.sock pulledpork.pl -v -c /etc/snort/pulledpork.conf […] Writing Blacklist File /etc/snort/rules/iplists/default.blacklist.... Writing Blacklist Version 842490936 to /etc/snort/rules/iplistsIPRVersion.dat.... Issuing reputation socket reload command Command: /usr/bin/snort_control /etc/snort/rules/iplists 1361 Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock: Connection refused Writing /var/log/sid_changes.log.... Done No Rule Changes IP Blacklist Stats... Total IPs:-----27229 Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly! Then: bin/snort_control /etc/snort/rules/iplists/ 1361 Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock: Connection refused systemctl status snort ● snort.service - Snort NIDS Daemon Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2017-03-22 10:13:18 EDT; 15min ago Process: 19242 ExecStart=/usr/sbin/snort -i ens33 -u snort -g snort -c /etc/snort/snort.conf -D -l /var/log/snort (code=exited, status=1/FAILURE) Main PID: 19242 (code=exited, status=1/FAILURE) Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'file.exploit_kit.pdf' is set but not ever checked. Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'file.exploit_kit.jar' is set but not ever checked. Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'file.rmp' is set but not ever checked. Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'acunetix-scan' is set but not ever checked. Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'smb.trans2' is set but not ever checked. Mar 22 10:13:18 ourdomain snort[19242]: 18 out of 1024 flowbits in use. Mar 22 10:13:18 ourdomain snort[19242]: Mar 22 10:13:18 ourdomain systemd[1]: snort.service: Main process exited, code=exited, status=1/FAILURE Mar 22 10:13:18 ourdomain systemd[1]: snort.service: Unit entered failed state. Mar 22 10:13:18 ourdomain systemd[1]: snort.service: Failed with result 'exit-code'. And I’m using the RPM via dnf on Fedora 25: dnf info snort Last metadata expiration check: 0:27:57 ago on Wed Mar 22 10:02:30 2017. Installed Packages Name : snort Arch : x86_64 Epoch : 1 Version : 2.9.9.0 Release : 1 Size : 18 M Repo : @System From repo : @commandline Summary : An open source Network Intrusion Detection System (NIDS) URL : http://www.snort.org/ License : GPL Description : Snort is an open source network intrusion detection system, capable of : performing real-time traffic analysis and packet logging on IP networks. : It can perform protocol analysis, content searching/matching and can be : used to detect a variety of attacks and probes, such as buffer overflows, : stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, : and much more. : : Snort has three primary uses. It can be used as a straight packet sniffer : like tcpdump(1), a packet logger (useful for network traffic debugging, : etc), or as a full blown network intrusion detection system. : : You MUST edit /etc/snort/snort.conf to configure snort before it will work! : : Please see the documentation in /usr/share/doc/snort-2.9.9.0 for more : information on snort features and configuration.
On Mar 22, 2017, at 10:04 AM, Stanford Prescott <stan.prescott () gmail com> wrote: Did you tell snort where the path to the control socket is in snort.conf? config cs_dir: <path/to/snort control socket> On Tue, Mar 21, 2017 at 3:20 PM, Robert Kudyba <rkudyba () fordham edu <mailto:rkudyba () fordham edu>> wrote: We're using the Fedora RPM via dnf, PulledPork v0.7.3, and when running: pulledpork.pl <https://urldefense.proofpoint.com/v2/url?u=http-3A__pulledpork.pl&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=nKn3QmhlzVCyaOJj8q7_CLmdmf7SxTFAw42gQhMlN_0&e=> -c /etc/snort/pulledpork.conf This appears: Issuing reputation socket reload command Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock: Connection refused I just posted this on GitHub <https://github.com/shirkdog/pulledpork/issues/255 <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_shirkdog_pulledpork_issues_255&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=a9oSspNCCR3xi0F9MN8vPM_3nHBMv7y7YEQ28TMvWck&e=>> but wanted to see if this is a known issue and/or a work-around available. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot <https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=P_sDVO_GQuqPiGih4fGVMZ6U5cOCbWtLMrwU02kNj9Q&e=> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_snort-2Dusers&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=NXK4aHbkEBuJe6Jr0Q3trr47BzJeLQUXW9CiU_vZCh0&e=> Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users <https://urldefense.proofpoint.com/v2/url?u=http-3A__sourceforge.net_mailarchive_forum.php-3Fforum-5Fname-3Dsnort-2Dusers&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=bjy5ePp-llKSDAbwXorzsySWZ1f9QMaRDSJcXnF8oOM&e=> Please visit http://blog.snort.org <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.snort.org&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=b14FjvfgA4_6WbyzTa0SSaoTIpFABxzXjfC0pUmc3-I&e=> to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 21)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 27)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 28)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 22)