SNORT Wont Start after Upgrade to 2.9.1- FATAL ERROR: Unable to open rules file



  • I have been Running Pfsense 2.0 with Snort 2.9.0.5 for a while now with no issues
    After Weeks of Not Upgrading to the latest version (2.9.1) i decided to Upgrade today but after Upgrading to Snort 2.9.1 Snort will not Start  :-[
    I have updated the snort rules and try restarting the service but that dont work, each time the rules are loaded and the service tries to start i get this error :

    Dec 22 09:10:27 pfsfw snort[34705]:    Search-Method = AC-Std
    Dec 22 09:10:27 pfsfw snort[34705]:    Search-Method = AC-Std
    Dec 22 09:10:27 pfsfw snort[34705]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_9558_em0//usr/local/etc/snort/snort_9558_em0/reference
    .config": No such file or directory.
    Dec 22 09:10:27 pfsfw snort[34705]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_9558_em0//usr/local/etc/snort/snort_9558_em0/reference
    .config": No such file or directory.
    Dec 22 09:10:27 pfsfw SnortStartup[34998]: Interface Rule START for 0_9558_em0…
    I Also Saw this at the end of the screen after the firewall was rebooted:

    cp: /usr/local/etc/snort/gen-msg.map: No such file or directory
    cp: /usr/local/etc/snort/classification.config: No such file or directory
    cp: /usr/local/etc/snort/reference.config: No such file or directory
    cp: /usr/local/etc/snort/unicode.map: No such file or directory
    cp: /usr/local/etc/snort/threshold.conf: No such file or directory
    done
    Bootup complete

    I know the new version (2.9.1) has been out for a while now hence someone must have experienced this problem an probably can help me fix for this issue

    Any Help Appreciated,
    Thanks Much



  • Ok I Remove the Snort Package, then installed it again
    Snort Service now Starts fine but i'm now getting an Error
    " (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE "
    Snort now automatically blocks every website i visit.. :(
    I'm  gonna have a look around the forums to see if i can find some any answers to rectify this issue



  • Snort Suppression Tutorial . . .
    Youtube Video

    Add Snort Suppression for Error: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    suppress gen_id 120,sig_id 3

    Go to Snort WAN interface edit; Scroll down to Suppression and filtering
    Choose the Suppression just created
    Click Save
    Restart Service
    Do a port scan to see if it would trigger an alert https://www.grc.com/x/ne.dll?rh1dkyd2

    Good to Go Again  ;D  :D

    One down one to go.. Only need to Upgrade to Pfsense 2.0.1 now
    Cheers  8)

    Problem Solved…can someone mark it as solved ??
    I hope i dont have to repeat this process when i Upgrade to Pfsense 2.0.1


Log in to reply