Snort mailing list archives
Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM
From: Robert Kudyba <rkudyba () fordham edu>
Date: Mon, 27 Mar 2017 11:35:44 -0400
On Mar 22, 2017, at 3:43 PM, Stanford Prescott <stan.prescott () gmail com> wrote: I have no experience with systemd. My firewall distro that snort is installed on doesn't use it. However, your error message indicates that snort thinks SNORT.sock is in /etc/snort/rules rather than /etc/snort/rules/iplists. Also, my SNORT.sock has owner nobody.nobody and permissions of 0770. When I tried to have SNORT.sock be "root", snort could not connect to the socket. My config -cs_dir: statement in snort.conf does not have a trailing "/" either. config -cs_dir: /etc/snort/rules/iplists
I removed the trailing slash and checked the system logs looks like SELinux is the problem: Mar 23 09:19:00 ourserver setroubleshoot: failed to retrieve rpm info for /etc/snort/rules/SNORT.sock Mar 23 09:19:00 ourserver setroubleshoot: SELinux is preventing snort from setattr access on the sock_file /etc/snort/rules/SNORT.sock. For complete SELinux messages. run sealert -l d6ee9db9-5c0b-445e-ad81-ee850697f3e5 Mar 23 09:19:00 ourserver python3: SELinux is preventing snort from setattr access on the sock_file /etc/snort/rules/SNORT.sock.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that snort should be allowed setattr access on the SNORT.sock sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'snort' --raw | audit2allow -M my-snort#012# semodule -X 300 -i my-snort.pp#012 Mar 23 09:19:00 ourserver setroubleshoot: SELinux is preventing snort from using the setsched access on a process. For complete SELinux messages. run sealert -l 4ea04339-f903-4019-9442-837f373cfa6b Mar 23 09:19:00 ourserver python3: SELinux is preventing snort from using the setsched access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that snort should be allowed setsched access on processes labeled snort_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'snort' --raw | audit2allow -M my-snort#012# semodule -X 300 -i my-snort.pp#012 Mar 23 09:19:02 ourserver sedispatch: AVC Message for setroubleshoot, dropping message I ran the suggested commands, then disabled SELinux and rebooted. Snort seems to start and run ok now. Not sure if this is the best place for Snorby support but I’m getting this: App 8884 stderr: /var/www/html/snorby/vendor/cache/ruby/2.3.0/gems/actionpack-3.2.22/lib/action_dispatch/http/mime_type.rb:102: warning: already initialized constant Mime::PDF App 8884 stderr: /var/www/html/snorby/vendor/cache/ruby/2.3.0/gems/actionpack-3.2.22/lib/action_dispatch/http/mime_type.rb:102: warning: previous definition of PDF was here Whenever I try to “Start Worker” in the Worker & Job Queue. And Job Handler Data has: --- !ruby/struct:Snorby::Jobs::SensorCacheJob verbose: false I did put in config/initializers/mime_types.rb: Mime::Type.register "application/pdf", :pdf unless Mime::Type.lookup_by_extension(:pdf) and in config/snorby_config.yml time_zone: 'America/New York’ Anything else to check? ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 21)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 22)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 27)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Stanford Prescott (Mar 28)
- Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM Robert Kudyba (Mar 22)