Unable to start snort



  • I'm unable to start snort. I've removed and reinstalled but this doesn't fix the problem.

    I'm getting:
    Oct 16 14:53:32 fw php: /etc/rc.packages: Successfully installed package: snort.
    Oct 16 14:53:32 fw pkg: pfSense-pkg-snort-3.2.9.1_14 installed
    Oct 16 14:53:33 fw check_reload_status: Reloading filter
    Oct 16 14:53:33 fw check_reload_status: Starting packages
    Oct 16 14:53:34 fw xinetd[21579]: Starting reconfiguration
    Oct 16 14:53:34 fw xinetd[21579]: Swapping defaults
    Oct 16 14:53:34 fw xinetd[21579]: readjusting service 6969-udp
    Oct 16 14:53:34 fw xinetd[21579]: Reconfigured: new=0 old=1 dropped=0 (services)
    Oct 16 14:53:34 fw php-fpm[64949]: /rc.start_packages: Restarting/Starting all packages.
    Oct 16 14:53:35 fw php-fpm[64949]: /rc.start_packages: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
    Oct 16 14:53:35 fw SnortStartup[67032]: Snort START for WAN(33691_em0)…
    Oct 16 14:53:35 fw snort[67323]: FATAL ERROR: /usr/local/etc/snort/snort_33691_em0//usr/local/etc/snort/snort_33691_em0/rules/snort.rules(0) Unable to open rules file "/usr/local/etc/snort/snort_33691_em0//usr/local/etc/snort/snort_33691_em0/
    rules/snort.rules": No such file or directory.
    Oct 16 14:55:06 fw php-fpm[64949]: /snort/snort_interfaces_global.php: [Snort] Hide Deprecated Rules is enabled.  Removing obsoleted rules categories.
    Oct 16 14:55:06 fw php-fpm[64949]: /snort/snort_interfaces_global.php: [Snort] Removed 0 obsoleted rules category files.
    Oct 16 14:55:07 fw check_reload_status: Syncing firewall
    Oct 16 14:55:07 fw php-fpm[64949]: /snort/snort_interfaces_global.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
    Oct 16 14:55:21 fw php-cgi: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…
    Oct 16 14:55:23 fw php-cgi: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
    Oct 16 14:55:25 fw php-cgi: snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled.  Removing obsoleted rules categories.
    Oct 16 14:55:25 fw php-cgi: snort_check_for_rule_updates.php: [Snort] Removed 2 obsoleted rules category files.
    Oct 16 14:55:25 fw php-cgi: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
    Oct 16 14:55:25 fw php-cgi: snort_check_for_rule_updates.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/local/etc/snort/snort_33691_em0/preproc_rules/sensitive-data.rules' returned exit code '1', the output was 'sed: /usr/local/etc/
    snort/snort_33691_em0/preproc_rules/sensitive-data.rules: No such file or directory'
    Oct 16 14:55:31 fw php-cgi: snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Oct 16 14:55:32 fw php-cgi: snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for WAN…
    Oct 16 14:55:32 fw php-cgi: snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
    Oct 16 14:55:32 fw check_reload_status: Syncing firewall
    Oct 16 14:56:14 fw check_reload_status: Syncing firewall
    Oct 16 14:56:14 fw php-fpm[41414]: /snort/snort_rulesets.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
    Oct 16 14:56:14 fw php-fpm[41414]: /snort/snort_rulesets.php: [Snort] Updating rules configuration for: WAN …
    Oct 16 14:56:14 fw php-fpm[41414]: /snort/snort_rulesets.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/local/etc/snort/snort_33691_em0/preproc_rules/sensitive-data.rules' returned exit code '1', the output was 'sed: /usr/local/etc/
    snort/snort_33691_em0/preproc_rules/sensitive-data.rules: No such file or directory'
    Oct 16 14:56:21 fw php-fpm[41414]: /snort/snort_rulesets.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Oct 16 14:56:21 fw php-fpm[41414]: /snort/snort_rulesets.php: [Snort] Building new sid-msg.map file for WAN…
    Oct 16 14:57:09 fw php-fpm[78519]: /snort/snort_interfaces.php: [Snort] Seems preprocessor and/or decoder rules are missing, enabling autogeneration of them in conf file.
    Oct 16 14:57:09 fw php-fpm[78519]: /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN …
    Oct 16 14:57:09 fw php-fpm[78519]: /snort/snort_interfaces.php: The command '/usr/bin/sed -I '' -f /tmp/sedcmd /usr/local/etc/snort/snort_33691_em0/preproc_rules/sensitive-data.rules' returned exit code '1', the output was 'sed: /usr/local/et
    c/snort/snort_33691_em0/preproc_rules/sensitive-data.rules: No such file or directory'
    Oct 16 14:57:16 fw php-fpm[78519]: /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN…
    Oct 16 14:57:16 fw php-fpm[78519]: /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN…
    Oct 16 14:57:16 fw php-fpm[78519]: /snort/snort_interfaces.php: Starting Snort on WAN(em0) per user request…
    Oct 16 14:57:16 fw php-fpm[78519]: /snort/snort_interfaces.php: [Snort] Snort START for WAN(em0)…
    Oct 16 14:57:18 fw kernel: em0: promiscuous mode enabled
    Oct 16 14:57:19 fw kernel: pid 15308 (snort), uid 0: exited on signal 11

    A forced update does not solve the problem.

    I also noticed that after reinstalling the snort package the snort interface is messed up. In the logfile it looks like this: "/usr/local/etc/snort/snort__" instead of "/usr/local/etc/snort/snort_33691_em0". The WebConfigurator can't handle this. A reboot is required.