SNORT.sock: Connection refused with Fedora RPM

[SomePersonSomeWhereInTheWorld]

We're using the Fedora RPM via dnf, PulledPork v0.7.3, and when running:

pulledpork.pl -c /etc/snort/pulledpork.conf

This appears:

Issuing reputation socket reload command
Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock: Connection refused

[marcindulak]

Note that the directory involved /etc/snort/rules/iplists belongs to the snort installation tree. Pulledpork RPM must not create that path unless a dependency of pulledpork on snort is introduced. Does mkdir -p /etc/snort/rules/iplists help?

Where did you find pulledpork 0.7.3 RPM for Fedora (and which Fedora)? The "official" RPM http://pkgs.fedoraproject.org/cgit/rpms/pulledpork.git/tree/pulledpork.spec is at 0.7. 2 and it does not install pulledpork.pl - it uses pulledpork as the executable script name.

[SomePersonSomeWhereInTheWorld]

On Mar 21, 2017, at 4:41 PM, marcindulak notifications@github.com wrote:

Note that the directory involved /etc/snort/rules/iplists belongs to the snort installation tree. Pulledpork RPM must not create that path unless a dependency of pulledpork on snort is introduced. Does mkdir -p /etc/snort/rules/iplists help?

The directory is already there: ls -l /etc/snort/rules/iplists total 392 -rw-r--r--. 1 root root 399311 Mar 21 16:15 default.blacklist Where did you find pulledpork 0.7.3 RPM for Fedora (and which Fedora)? The "official" RPM http://pkgs.fedoraproject.org/cgit/rpms/pulledpork.git/tree/pulledpork.spec https://urldefense.proofpoint.com/v2/url?u=http-3A__pkgs.fedoraproject.org_cgit_rpms_pulledpork.git_tree_pulledpork.spec&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=3bVr37J6GoxMQos1csr96q1BOobZ_XH3_1eDhgbF7s8&s=HkU8rgVWu5W3QcnCPP9UkgRUaoIx8wMjhHJSNVRXjJM&e= is at 0.7. 2 and it does not install pulledpork.pl - it uses pulledpork as the executable script name

My bad I used: git clone https://github.com/shirkdog/pulledpork.git

[marcindulak]

I think this is related to https://github.com/shirkdog/pulledpork/issues/153 - pulledpork since https://github.com/shirkdog/pulledpork/commit/06177884f0c8ccb94c8fccdc0fa2a4206b4b6549 will run

 /bin/snort_control /etc/snort/rules/iplists/ 1361

You can see this by running verbose:

pulledpork.pl -v -c /etc/snort/pulledpork.conf

Probably snort has not been compiled with –enable-control-socket option enabled https://sublimerobots.com/tag/pulledpork/ ?

[SomePersonSomeWhereInTheWorld]

On Mar 22, 2017, at 10:11 AM, marcindulak notifications@github.com wrote:

I think this is related to #153 https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_shirkdog_pulledpork_issues_153&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X2_xGb3G38jRYC8X5LbLXwvc1BDou24de4MXlnTKLzk&s=y4EtP8KUVqU27Nv9HstRzl6DlfQ6NpzDDLTRTYGo-UI&e= - pulledpork since 0617788 https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_shirkdog_pulledpork_commit_06177884f0c8ccb94c8fccdc0fa2a4206b4b6549&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X2_xGb3G38jRYC8X5LbLXwvc1BDou24de4MXlnTKLzk&s=mHGJYrJo4TNhDIJY0hJA18-vlrFap6dECdHjI3ifhYQ&e= will run

/bin/snort_control /etc/snort/rules/iplists/ 1361 You can see this by running verbose:

pulledpork.pl -v -c /etc/snort/pulledpork.conf Probably snort has not been compiled with –enable-control-socket option enabled https://sublimerobots.com/tag/pulledpork/ https://urldefense.proofpoint.com/v2/url?u=https-3A__sublimerobots.com_tag_pulledpork_&d=DwMFaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=X2_xGb3G38jRYC8X5LbLXwvc1BDou24de4MXlnTKLzk&s=LE8uP3ZYAbjA9y5ithPA4Se5u4hVVZhB1IL3Tsr4tOE&e= ?

And I’m using the RPM via dnf on Fedora 25: dnf info snort Last metadata expiration check: 0:27:57 ago on Wed Mar 22 10:02:30 2017. Installed Packages Name : snort Arch : x86_64 Epoch : 1 Version : 2.9.9.0 Release : 1 Size : 18 M Repo : @System From repo : @commandline Summary : An open source Network Intrusion Detection System (NIDS) URL : http://www.snort.org/ http://www.snort.org/ License : GPL Description : Snort is an open source network intrusion detection system, capable of : performing real-time traffic analysis and packet logging on IP networks. : It can perform protocol analysis, content searching/matching and can be : used to detect a variety of attacks and probes, such as buffer overflows, : stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, : and much more. : : Snort has three primary uses. It can be used as a straight packet sniffer : like tcpdump(1), a packet logger (useful for network traffic debugging, : etc), or as a full blown network intrusion detection system. : : You MUST edit /etc/snort/snort.conf to configure snort before it will work! : : Please see the documentation in /usr/share/doc/snort-2.9.9.0 for more : information on snort features and configuration.

I added this directive to snort.conf: config cs_dir: /etc/snort/rules/iplists/SNORT.sock

But still get:

pulledpork.pl -v -c /etc/snort/pulledpork.conf […] Writing Blacklist File /etc/snort/rules/iplists/default.blacklist.... Writing Blacklist Version 842490936 to /etc/snort/rules/iplistsIPRVersion.dat.... Issuing reputation socket reload command Command: /usr/bin/snort_control /etc/snort/rules/iplists 1361 Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock: Connection refused Writing /var/log/sid_changes.log.... Done

No Rule Changes

IP Blacklist Stats... Total IPs:-----27229

Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly!

Then: bin/snort_control /etc/snort/rules/iplists/ 1361 Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock: Connection refused

systemctl status snort ● snort.service - Snort NIDS Daemon Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2017-03-22 10:13:18 EDT; 15min ago Process: 19242 ExecStart=/usr/sbin/snort -i ens33 -u snort -g snort -c /etc/snort/snort.conf -D -l /var/log/snort (code=exited, status=1/FAILURE) Main PID: 19242 (code=exited, status=1/FAILURE)

Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'file.exploit_kit.pdf' is set but not ever checked. Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'file.exploit_kit.jar' is set but not ever checked. Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'file.rmp' is set but not ever checked. Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'acunetix-scan' is set but not ever checked. Mar 22 10:13:18 ourdomain snort[19242]: WARNING: flowbits key 'smb.trans2' is set but not ever checked. Mar 22 10:13:18 ourdomain snort[19242]: 18 out of 1024 flowbits in use. Mar 22 10:13:18 ourdomain snort[19242]: Mar 22 10:13:18 ourdomain systemd[1]: snort.service: Main process exited, code=exited, status=1/FAILURE Mar 22 10:13:18 ourdomain systemd[1]: snort.service: Unit entered failed state. Mar 22 10:13:18 ourdomain systemd[1]: snort.service: Failed with result 'exit-code'.

[marcindulak]

There is a discussion about this issue at http://seclists.org/snort/2017/q1/704 After the proper usage of /etc/snort/rules/iplists/SNORT.sock is figured out it may be useful to add a comment about it into pulledpork.conf.