Snort install errors - pulling my hair out!

  • Hi,

    First the disclaimer: I have tried to search through your board and another snort based board but can't find a solution.

    On a new pfSense 2.0 build, when I add the snort package and download the first ruleset, I get the following error displayed when I go to choose the categories.

    Warning: opendir(/usr/local/etc/snort/snort__/rules/): failed to open dir: No such file or directory in /usr/local/www/snort/snort_rulesets.php on line 257 Warning: readdir(): supplied argument is not a valid Directory resource in /usr/local/www/snort/snort_rulesets.php on line 258 Warning: sort() expects parameter 1 to be array, null given in /usr/local/www/snort/snort_rulesets.php on line 261 Warning: Invalid argument supplied for foreach() in /usr/local/www/snort/snort_rulesets.php on line 262

    However, if I chose rules first, then toggle back to Categories, all is fine - in that the categories are displayed.

    Start Snort and I get a the system log error:

    Sep 22 11:16:34 snort[41817]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_51021_re0//usr/local/etc/snort/snort_51021_re0/rules/emerging-activex.rules": No such file or directory.

    Any ideas?

  • Axelson,
    just edit the snort interface you setup, go to every tab and hit the "save" button, then go back and start your snort service. in the extreme situation uncheck the "emerging-activex.rules" and save and try to start your snort service and see if it will start, if YES then stop it, go back and chack that box again and try to start the service, that should help!

  • Thanks for the reply.

    I have followed our advice and…

    • re-saved everything - no change
    • gone through each category and tried to restart - Ah! there's the problem!

    over 50% of the categories, emerging or not, do not allow Snort to start if enabled.

    For example:

    snort[3719]: FATAL ERROR: /usr/local/etc/snort/snort_20390_re0/rules/snort_p2p.rules(34) Please enable the HTTP Inspect preprocessor before using the http content modifiers

    So, I have done what it said and enabled the HTTP Inspect preprocessor which has now enabled the majority of them to start. The rest are now reporting their own requirements which I guess I will have to go through one by one.

    The worrying ones though are the ones, like emerging-activex.rules, which report "no such file or directory" when the file really does exist and with the right permissions and ownership…

    Not used to all this manual configuration / problems for Snort. On Endian firewalls, it just works!


  • emerging threats rules change all the time so if you enable a rule and later update the rule set there is always the possibility that you are attempting to load a rule that no longer exists in emerging threats. That will give you your error.

Log in to reply