Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM

[Robert Kudyba <rkudyba () fordham edu>]

No but I just added it:
config cs_dir: /etc/snort/rules/iplists/SNORT.sock

pulledpork.pl -v -c /etc/snort/pulledpork.conf
[…]
Writing Blacklist File /etc/snort/rules/iplists/default.blacklist....
Writing Blacklist Version 842490936 to /etc/snort/rules/iplistsIPRVersion.dat....
Issuing reputation socket reload command
Command: /usr/bin/snort_control /etc/snort/rules/iplists 1361
Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock: Connection refused
Writing /var/log/sid_changes.log....
        Done

No Rule Changes

IP Blacklist Stats...
        Total IPs:-----27229

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

Then:
bin/snort_control /etc/snort/rules/iplists/ 1361
Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock: Connection refused

systemctl status snort
● snort.service - Snort NIDS Daemon
   Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2017-03-22 10:13:18 EDT; 15min ago
  Process: 19242 ExecStart=/usr/sbin/snort -i ens33 -u snort -g snort -c /etc/snort/snort.conf -D -l /var/log/snort 
(code=exited, status=1/FAILURE)
 Main PID: 19242 (code=exited, status=1/FAILURE)

Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'file.exploit_kit.pdf' is set but not ever checked.
Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'file.exploit_kit.jar' is set but not ever checked.
Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'file.rmp' is set but not ever checked.
Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'acunetix-scan' is set but not ever checked.
Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'smb.trans2' is set but not ever checked.
Mar 22 10:13:18 ourdomain snort[19242]: 18 out of 1024 flowbits in use.
Mar 22 10:13:18 ourdomain snort[19242]: 
Mar 22 10:13:18 ourdomain systemd[1]: snort.service: Main process exited, code=exited, status=1/FAILURE
Mar 22 10:13:18 ourdomain systemd[1]: snort.service: Unit entered failed state.
Mar 22 10:13:18 ourdomain systemd[1]: snort.service: Failed with result 'exit-code'.

And I’m using the RPM via dnf on Fedora 25:
dnf info snort
Last metadata expiration check: 0:27:57 ago on Wed Mar 22 10:02:30 2017.
Installed Packages
Name        : snort
Arch        : x86_64
Epoch       : 1
Version     : 2.9.9.0
Release     : 1
Size        : 18 M
Repo        : @System
From repo   : @commandline
Summary     : An open source Network Intrusion Detection System (NIDS)
URL         : http://www.snort.org/
License     : GPL
Description : Snort is an open source network intrusion detection system, capable of
            : performing real-time traffic analysis and packet logging on IP networks.
            : It can perform protocol analysis, content searching/matching and can be
            : used to detect a variety of attacks and probes, such as buffer overflows,
            : stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts,
            : and much more.
            : 
            : Snort has three primary uses. It can be used as a straight packet sniffer
            : like tcpdump(1), a packet logger (useful for network traffic debugging,
            : etc), or as a full blown network intrusion detection system.
            : 
            : You MUST edit /etc/snort/snort.conf to configure snort before it will work!
            : 
            : Please see the documentation in /usr/share/doc/snort-2.9.9.0 for more
            : information on snort features and configuration.



> On Mar 22, 2017, at 10:04 AM, Stanford Prescott <stan.prescott () gmail com> wrote:
>
> Did you tell snort where the path to the control socket is in snort.conf?
>
> config cs_dir: <path/to/snort control socket>
>
> On Tue, Mar 21, 2017 at 3:20 PM, Robert Kudyba <rkudyba () fordham edu <mailto:rkudyba () fordham edu>> wrote:
> We're using the Fedora RPM via dnf, PulledPork v0.7.3, and when running:
>
> pulledpork.pl 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__pulledpork.pl&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=nKn3QmhlzVCyaOJj8q7_CLmdmf7SxTFAw42gQhMlN_0&e=>
>  -c /etc/snort/pulledpork.conf
>
> This appears:
>
> Issuing reputation socket reload command
> Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock: Connection refused
> I just posted this on GitHub <https://github.com/shirkdog/pulledpork/issues/255 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_shirkdog_pulledpork_issues_255&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=a9oSspNCCR3xi0F9MN8vPM_3nHBMv7y7YEQ28TMvWck&e=>>
>  but wanted to see if this is a known issue and/or a work-around available.
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=P_sDVO_GQuqPiGih4fGVMZ6U5cOCbWtLMrwU02kNj9Q&e=>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_snort-2Dusers&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=NXK4aHbkEBuJe6Jr0Q3trr47BzJeLQUXW9CiU_vZCh0&e=>
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__sourceforge.net_mailarchive_forum.php-3Fforum-5Fname-3Dsnort-2Dusers&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=bjy5ePp-llKSDAbwXorzsySWZ1f9QMaRDSJcXnF8oOM&e=>
>
> Please visit http://blog.snort.org 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.snort.org&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=b14FjvfgA4_6WbyzTa0SSaoTIpFABxzXjfC0pUmc3-I&e=>
>  to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!