Snort[61250]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort

vitesse · Mar 3, 2012, 12:40 PM

Using pfSense 2.0.1-RELEASE (i386) with Snort installed, I''m getting these system log messages:
snort[61250]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_51363_em0//usr/local/etc/snort/snort_51363_em0/rules/emerging-activex.rules": No such file or directory.
snort[50976]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_24767_rl0//usr/local/etc/snort/snort_24767_rl0/rules/emerging-activex.rules": No such file or directory.

rl0 = Wan
EM0= LAN

Should I post this here or over at the snort website firstly?

If here, anyway I can resolve this, I've tried reinstalling the package but no joy so any ideas/suggestions welcome.

TIA.

fragged · Mar 4, 2012, 2:08 PM

I got the same today. Emerging Threats rules seem to be all gone from the rules directory. Trying to update rules doesn't help.

joako · Mar 7, 2012, 7:36 AM

I see the opposite. New install of snort on pfSense 1.2.3 just now, and snort.org rules don't load but emergingthreads does load?

I copied the snort code from another installs…. I hate passwords & signups and all that miserable stuff. Am I not supposed to do that (1 code per machine/IP address!?)

java007md · Mar 17, 2012, 11:32 PM

@vitesse:

Using pfSense 2.0.1-RELEASE (i386) with Snort installed, I''m getting these system log messages:
snort[61250]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_51363_em0//usr/local/etc/snort/snort_51363_em0/rules/emerging-activex.rules": No such file or directory.
snort[50976]: FATAL ERROR: Unable to open rules file "/usr/local/etc/snort/snort_24767_rl0//usr/local/etc/snort/snort_24767_rl0/rules/emerging-activex.rules": No such file or directory.

rl0 = Wan
EM0= LAN

Should I post this here or over at the snort website firstly?

If here, anyway I can resolve this, I've tried reinstalling the package but no joy so any ideas/suggestions welcome.

TIA.

Encountered the same error and problem today. ET categories and rules are no longer available to select.

vitesse · Mar 18, 2012, 6:39 PM

I've stepped back to 2.0-RELEASE (i386) for now and all is well, JFI.

taryezveb · Mar 25, 2012, 6:08 PM

I was getting the same fatal error. Did a restore from config backup and everything is working well. Now have emerging-* categories back. Maybe this will help someone.

vitesse · Mar 26, 2012, 4:31 PM

I've since managed to get 2.0.1 running ok by using LOWMEM instead of AC-BNFA and I also left the default number of alerts at 250 and blocked at 500.

So far its stayed up. Will be trying to increase the alerts and blocked next week but its not essentials for the moment.

DigitalDeviant · Mar 27, 2012, 7:25 PM

~~Same issue here and lowering the memory usage fixed the issue.~~

OK, either Snort shut down when I was tinkering with my VPN or Snort restarted during an update. When I noticed it and tried to restart it I got the same error. Then I set the memory back to it's original settings it worked. I had originally been running it in AC mode and had set it to AC-STD. Now it's back to running fine in AC. I'm running 2.0.1 AMD 64 on a Dell PowerEdge server with dual Xeon 3.2 processors and 2GB of ram.