Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM

[Stanford Prescott <stan.prescott () gmail com>]

I don't have access to my snort.conf atm, but I believe you just put the
directory for SNORT.sock. I may have mislead by saying path but I believe
it is just the directory for the config. statement.

On Wed, Mar 22, 2017 at 9:31 AM, Robert Kudyba <rkudyba () fordham edu> wrote:

> No but I just added it:
> config cs_dir: /etc/snort/rules/iplists/SNORT.sock
>
> pulledpork.pl -v -c /etc/snort/pulledpork.conf
> […]
> Writing Blacklist File /etc/snort/rules/iplists/default.blacklist....
> Writing Blacklist Version 842490936 to /etc/snort/rules/
> iplistsIPRVersion.dat....
> Issuing reputation socket reload command
> Command: /usr/bin/snort_control /etc/snort/rules/iplists 1361
> Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock:
> Connection refused
> Writing /var/log/sid_changes.log....
> Done
>
> No Rule Changes
>
> IP Blacklist Stats...
> Total IPs:-----27229
>
> Done
> Please review /var/log/sid_changes.log for additional details
> Fly Piggy Fly!
>
> Then:
> bin/snort_control /etc/snort/rules/iplists/ 1361
> Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock:
> Connection refused
>
> systemctl status snort
> *●* snort.service - Snort NIDS Daemon
>    Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled;
> vendor preset: disabled)
>    Active: *failed* (Result: exit-code) since Wed 2017-03-22 10:13:18
> EDT; 15min ago
>   Process: 19242 ExecStart=/usr/sbin/snort -i ens33 -u snort -g snort -c
> /etc/snort/snort.conf -D -l /var/log/snort *(code=exited,
> status=1/FAILURE)*
>  Main PID: 19242 (code=exited, status=1/FAILURE)
>
> Mar 22 10:13:18 ourdomain snort[19242]: *WARNING: flowbits key
> 'file.exploit_kit.pdf' is set but not ever checked.*
> Mar 22 10:13:18 ourdomain snort[19242]: *WARNING: flowbits key
> 'file.exploit_kit.jar' is set but not ever checked.*
> Mar 22 10:13:18 ourdomain snort[19242]: *WARNING: flowbits key 'file.rmp'
> is set but not ever checked.*
> Mar 22 10:13:18 ourdomain snort[19242]: *WARNING: flowbits key
> 'acunetix-scan' is set but not ever checked.*
> Mar 22 10:13:18 ourdomain snort[19242]: *WARNING: flowbits key
> 'smb.trans2' is set but not ever checked.*
> Mar 22 10:13:18 ourdomain snort[19242]: *18 out of 1024 flowbits in use.*
> Mar 22 10:13:18 ourdomain snort[19242]:
> Mar 22 10:13:18 ourdomain systemd[1]: *snort.service: Main process
> exited, code=exited, status=1/FAILURE*
> Mar 22 10:13:18 ourdomain systemd[1]: *snort.service: Unit entered failed
> state.*
> Mar 22 10:13:18 ourdomain systemd[1]: *snort.service: Failed with result
> 'exit-code'.*
>
> And I’m using the RPM via dnf on Fedora 25:
> dnf info snort
> Last metadata expiration check: 0:27:57 ago on Wed Mar 22 10:02:30 2017.
> Installed Packages
> Name        : snort
> Arch        : x86_64
> Epoch       : 1
> Version     : 2.9.9.0
> Release     : 1
> Size        : 18 M
> Repo        : @System
> From repo   : @commandline
> Summary     : An open source Network Intrusion Detection System (NIDS)
> URL         : http://www.snort.org/
> License     : GPL
> Description : Snort is an open source network intrusion detection system,
> capable of
>             : performing real-time traffic analysis and packet logging on
> IP networks.
>             : It can perform protocol analysis, content searching/matching
> and can be
>             : used to detect a variety of attacks and probes, such as
> buffer overflows,
>             : stealth port scans, CGI attacks, SMB probes, OS
> fingerprinting attempts,
>             : and much more.
>             :
>             : Snort has three primary uses. It can be used as a straight
> packet sniffer
>             : like tcpdump(1), a packet logger (useful for network traffic
> debugging,
>             : etc), or as a full blown network intrusion detection system.
>             :
>             : You MUST edit /etc/snort/snort.conf to configure snort
> before it will work!
>             :
>             : Please see the documentation in /usr/share/doc/snort-2.9.9.0
> for more
>             : information on snort features and configuration.
>
>
>
> On Mar 22, 2017, at 10:04 AM, Stanford Prescott <stan.prescott () gmail com>
> wrote:
>
> Did you tell snort where the path to the control socket is in snort.conf?
>
> *config cs_dir: <path/to/snort control socket>*
>
> On Tue, Mar 21, 2017 at 3:20 PM, Robert Kudyba <rkudyba () fordham edu>
> wrote:
>
> > We're using the Fedora RPM via dnf, PulledPork v0.7.3, and when running:
> >
> > pulledpork.pl
> > <https://urldefense.proofpoint.com/v2/url?u=http-3A__pulledpork.pl&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=nKn3QmhlzVCyaOJj8q7_CLmdmf7SxTFAw42gQhMlN_0&e=>
> > -c /etc/snort/pulledpork.conf
> >
> > This appears:
> >
> > Issuing reputation socket reload command
> > Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock:
> > Connection refused
> > I just posted this on GitHub <https://github.com/shirkdog/p
> > ulledpork/issues/255
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_shirkdog_pulledpork_issues_255&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=a9oSspNCCR3xi0F9MN8vPM_3nHBMv7y7YEQ28TMvWck&e=>>
> > but wanted to see if this is a known issue and/or a work-around available.
> > ------------------------------------------------------------
> > ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org <http://slashdot.org>!
> > http://sdm.link/slashdot
> > <https://urldefense.proofpoint.com/v2/url?u=http-3A__sdm.link_slashdot&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=P_sDVO_GQuqPiGih4fGVMZ6U5cOCbWtLMrwU02kNj9Q&e=>
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_snort-2Dusers&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=NXK4aHbkEBuJe6Jr0Q3trr47BzJeLQUXW9CiU_vZCh0&e=>
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > <https://urldefense.proofpoint.com/v2/url?u=http-3A__sourceforge.net_mailarchive_forum.php-3Fforum-5Fname-3Dsnort-2Dusers&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=bjy5ePp-llKSDAbwXorzsySWZ1f9QMaRDSJcXnF8oOM&e=>
> >
> > Please visit http://blog.snort.org
> > <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.snort.org&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=qVvU5U6OvRAY9txpFkSQ-gKgqfBKVpDkr4FD29xOHKI&s=b14FjvfgA4_6WbyzTa0SSaoTIpFABxzXjfC0pUmc3-I&e=>
> > to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!