Snort mailing list archives

Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM

From: Stanford Prescott <stan.prescott () gmail com>
Date: Tue, 28 Mar 2017 08:08:52 -0500

It might be best to post a separate request for your snorby and SELinux
issues. People might see the original snort socket subject and skip it over
not knowing you have a request about snorby and SELinux.

On Mon, Mar 27, 2017 at 10:35 AM, Robert Kudyba <rkudyba () fordham edu> wrote:


On Mar 22, 2017, at 3:43 PM, Stanford Prescott <stan.prescott () gmail com>
wrote:

I have no experience with systemd. My firewall distro that snort is
installed on doesn't use it. However, your error message indicates that
snort thinks SNORT.sock is in */etc/snort/rules* rather than
*/etc/snort/rules/iplists*. Also, my SNORT.sock has owner nobody.nobody
and permissions of 0770. When I tried to have SNORT.sock be "root", snort
could not connect to the socket.

My config -cs_dir: statement in snort.conf does not have a trailing "/"
either. *config -cs_dir: /etc/snort/rules/iplists*


I removed the trailing slash and checked the system logs looks like
SELinux is the problem:

Mar 23 09:19:00 ourserver setroubleshoot: failed to retrieve rpm info for
/etc/snort/rules/SNORT.sock
Mar 23 09:19:00 ourserver setroubleshoot: SELinux is preventing snort from
setattr access on the sock_file /etc/snort/rules/SNORT.sock. For complete
SELinux messages. run sealert -l d6ee9db9-5c0b-445e-ad81-ee850697f3e5
Mar 23 09:19:00 ourserver python3: SELinux is preventing snort from
setattr access on the sock_file /etc/snort/rules/SNORT.sock.#012#012*****
Plugin catchall (100. confidence) suggests   **************************#012#012If
you believe that snort should be allowed setattr access on the SNORT.sock
sock_file by default.#012Then you should report this as a bug.#012You can
generate a local policy module to allow this access.#012Do#012allow this
access for now by executing:#012# ausearch -c 'snort' --raw | audit2allow
-M my-snort#012# semodule -X 300 -i my-snort.pp#012
Mar 23 09:19:00 ourserver setroubleshoot: SELinux is preventing snort from
using the setsched access on a process. For complete SELinux messages. run
sealert -l 4ea04339-f903-4019-9442-837f373cfa6b
Mar 23 09:19:00 ourserver python3: SELinux is preventing snort from using
the setsched access on a process.#012#012*****  Plugin catchall (100.
confidence) suggests   **************************#012#012If you believe
that snort should be allowed setsched access on processes labeled snort_t
by default.#012Then you should report this as a bug.#012You can generate a
local policy module to allow this access.#012Do#012allow this access for
now by executing:#012# ausearch -c 'snort' --raw | audit2allow -M
my-snort#012# semodule -X 300 -i my-snort.pp#012
Mar 23 09:19:02 ourserver sedispatch: AVC Message for setroubleshoot,
dropping message

I ran the suggested commands, then disabled SELinux and rebooted. Snort
seems to start and run ok now.

Not sure if this is the best place for Snorby support but I’m getting this:
App 8884 stderr: /var/www/html/snorby/vendor/cache/ruby/2.3.0/gems/
actionpack-3.2.22/lib/action_dispatch/http/mime_type.rb:102: warning:
already initialized constant Mime::PDF
App 8884 stderr: /var/www/html/snorby/vendor/cache/ruby/2.3.0/gems/
actionpack-3.2.22/lib/action_dispatch/http/mime_type.rb:102: warning:
previous definition of PDF was here

Whenever I try to “Start Worker” in the Worker & Job Queue. And Job
Handler Data has:

--- !ruby/struct:Snorby::Jobs::SensorCacheJob
verbose: false


I did put in config/initializers/mime_types.rb:

*Mime*::*Type*.register "application/pdf", :pdf unless *Mime*::*Type*
.lookup_by_extension(:pdf)

and in config/snorby_config.yml
  time_zone: 'America/New York’

Anything else to check?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 21)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
  - Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 22)
    - Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
    - Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 22)
    - Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
    - Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 27)
    - Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 28)