Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unable to connect to UNIX socket at SNORT.sock: Connection refused with Fedora RPM

From: Stanford Prescott <stan.prescott () gmail com>
Date: Wed, 22 Mar 2017 14:43:37 -0500
I have no experience with systemd. My firewall distro that snort is
installed on doesn't use it. However, your error message indicates that
snort thinks SNORT.sock is in */etc/snort/rules* rather than
*/etc/snort/rules/iplists*. Also, my SNORT.sock has owner nobody.nobody and
permissions of 0770. When I tried to have SNORT.sock be "root", snort could
not connect to the socket.

My config -cs_dir: statement in snort.conf does not have a trailing "/"
either. *config -cs_dir: /etc/snort/rules/iplists*

On Wed, Mar 22, 2017 at 1:22 PM, Robert Kudyba <rkudyba () fordham edu> wrote:



On Mar 22, 2017, at 11:11 AM, Stanford Prescott <stan.prescott () gmail com>
wrote:

I don't have access to my snort.conf atm, but I believe you just put the
directory for SNORT.sock. I may have mislead by saying path but I believe
it is just the directory for the config. statement.


Ah yes I changed it to:
config cs_dir: /etc/snort/rules/iplists/

So snort starts when using the snort command but not via systemd. Still
errors about the SNORT.sock file. When the file exists (I simply did a
‘touch’ command and made sure permissions were 777 and owned by snort) this
happens:

Mar 22 14:16:12 twiki.cis.fordham.edu systemd[1]: Started Snort NIDS
Daemon.
Mar 22 14:16:13 twiki.cis.fordham.edu snort[19194]: ERROR: Control
Socket: Unable to bind to /etc/snort/rules/SNORT.sock: Address already in
use
Mar 22 14:16:13 twiki.cis.fordham.edu snort[19194]: Fatal Error,
Quitting..
Mar 22 14:16:13 twiki.cis.fordham.edu systemd[1]: *snort.service: Main
process exited, code=exited, status=1/FAILURE*
Mar 22 14:16:13 twiki.cis.fordham.edu systemd[1]: *snort.service: Unit
entered failed state.*
Mar 22 14:16:13 twiki.cis.fordham.edu systemd[1]: *snort.service: Failed
with result 'exit-code’.*

When I delete the file and try systemctl start snort, sudo systemctl
status snort:

*●* snort.service - Snort NIDS Daemon
   Loaded: loaded (/usr/lib/systemd/system/snort.service; enabled; vendor
preset: disabled)
   Active: *failed* (Result: exit-code) since Wed 2017-03-22 14:15:09
EDT; 3s ago
  Process: 19161 ExecStart=/usr/sbin/snort -q -u snort -g snort -c
/etc/snort/snort.conf --cs-dir /etc/snort/rules -i ens33 *(code=exited,
status=1/FAILURE)*
 Main PID: 19161 (code=exited, status=1/FAILURE)

Mar 22 14:15:08 twiki.cis.fordham.edu systemd[1]: Started Snort NIDS
Daemon.
Mar 22 14:15:09 twiki.cis.fordham.edu snort[19161]: ERROR: Control
Socket: Unable to bind to /etc/snort/rules/SNORT.sock: Permission denied
Mar 22 14:15:09 twiki.cis.fordham.edu snort[19161]: Fatal Error,
Quitting..
Mar 22 14:15:09 twiki.cis.fordham.edu systemd[1]: *snort.service: Main
process exited, code=exited, status=1/FAILURE*
Mar 22 14:15:09 twiki.cis.fordham.edu systemd[1]: *snort.service: Unit
entered failed state.*
Mar 22 14:15:09 twiki.cis.fordham.edu systemd[1]: *snort.service: Failed
with result 'exit-code'.*



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: