Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM

[Robert Kudyba <rkudyba () fordham edu>]

> On Mar 22, 2017, at 3:43 PM, Stanford Prescott <stan.prescott () gmail com> wrote:
>
> I have no experience with systemd. My firewall distro that snort is installed on doesn't use it. However, your error 
> message indicates that snort thinks SNORT.sock is in /etc/snort/rules rather than /etc/snort/rules/iplists. Also, my 
> SNORT.sock has owner nobody.nobody and permissions of 0770. When I tried to have SNORT.sock be "root", snort could 
> not connect to the socket.
>
> My config -cs_dir: statement in snort.conf does not have a trailing "/" either. config -cs_dir: 
> /etc/snort/rules/iplists

I removed the trailing slash and checked the system logs looks like SELinux is the problem:

Mar 23 09:19:00 ourserver setroubleshoot: failed to retrieve rpm info for /etc/snort/rules/SNORT.sock
Mar 23 09:19:00 ourserver setroubleshoot: SELinux is preventing snort from setattr access on the sock_file 
/etc/snort/rules/SNORT.sock. For complete SELinux messages. run sealert -l d6ee9db9-5c0b-445e-ad81-ee850697f3e5
Mar 23 09:19:00 ourserver python3: SELinux is preventing snort from setattr access on the sock_file 
/etc/snort/rules/SNORT.sock.#012#012*****  Plugin catchall (100. confidence) suggests   
**************************#012#012If you believe that snort should be allowed setattr access on the SNORT.sock 
sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this 
access.#012Do#012allow this access for now by executing:#012# ausearch -c 'snort' --raw | audit2allow -M my-snort#012# 
semodule -X 300 -i my-snort.pp#012
Mar 23 09:19:00 ourserver setroubleshoot: SELinux is preventing snort from using the setsched access on a process. For 
complete SELinux messages. run sealert -l 4ea04339-f903-4019-9442-837f373cfa6b
Mar 23 09:19:00 ourserver python3: SELinux is preventing snort from using the setsched access on a 
process.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe 
that snort should be allowed setsched access on processes labeled snort_t by default.#012Then you should report this as 
a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by 
executing:#012# ausearch -c 'snort' --raw | audit2allow -M my-snort#012# semodule -X 300 -i my-snort.pp#012
Mar 23 09:19:02 ourserver sedispatch: AVC Message for setroubleshoot, dropping message

I ran the suggested commands, then disabled SELinux and rebooted. Snort seems to start and run ok now. 

Not sure if this is the best place for Snorby support but I’m getting this:
App 8884 stderr: 
/var/www/html/snorby/vendor/cache/ruby/2.3.0/gems/actionpack-3.2.22/lib/action_dispatch/http/mime_type.rb:102: warning: 
already initialized constant Mime::PDF
App 8884 stderr: 
/var/www/html/snorby/vendor/cache/ruby/2.3.0/gems/actionpack-3.2.22/lib/action_dispatch/http/mime_type.rb:102: warning: 
previous definition of PDF was here

Whenever I try to “Start Worker” in the Worker & Job Queue. And Job Handler Data has:

--- !ruby/struct:Snorby::Jobs::SensorCacheJob
verbose: false

I did put in config/initializers/mime_types.rb:

Mime::Type.register "application/pdf", :pdf unless Mime::Type.lookup_by_extension(:pdf)

and in config/snorby_config.yml
  time_zone: 'America/New York’

Anything else to check?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!