Snort unable to open rules file

Sifter

2.0.3-RELEASE (i386)
built on Fri Apr 12 10:22:21 EDT 2013
FreeBSD 8.1-RELEASE-p13

snort 2.9.4.1 pkg v. 2.5.7

I put in my oink code, downloaded the new rules files, and then tried to start the service.  Below is what I found in the system log.

snort[46274]: FATAL ERROR: /usr/local/etc/snort/snort_50252_em1//usr/local/etc/snort/snort_50252_em1/rules/snort.rules(0) Unable to open rules file "/usr/local/etc/snort/snort_50252_em1//usr/local/etc/snort/snort_50252_em1/rules/snort.rules": No such file or directory.

jimp

I edited your post because it said "squid" when you meant "snort".

Not sure about the missing rules, but the usual thing that fixes snort is to uninstall it completely, then reinstall it, and then download the rules files again.

bmeeks

@Sifter:

2.0.3-RELEASE (i386)
built on Fri Apr 12 10:22:21 EDT 2013
FreeBSD 8.1-RELEASE-p13

snort 2.9.4.1 pkg v. 2.5.7

I put in my oink code, downloaded the new rules files, and then tried to start the service.  Below is what I found in the system log.

snort[46274]: FATAL ERROR: /usr/local/etc/snort/snort_50252_em1//usr/local/etc/snort/snort_50252_em1/rules/snort.rules(0) Unable to open rules file "/usr/local/etc/snort/snort_50252_em1//usr/local/etc/snort/snort_50252_em1/rules/snort.rules": No such file or directory.

jimp is correct, a delete and reinstall is a good first fix.  If this is a totally new install for you on this firewall, there are some prerequisite steps that must happen as well to properly generate the configuration file before attempting a start.  Following the steps in this post might help if that is the case:  http://forum.pfsense.org/index.php/topic,61018.msg328717.html#msg328717

Bill

Supermule

I get this all of a sudden…

May 25 20:55:15 snort[46090]: FATAL ERROR: /usr/local/etc/snort/snort_36256_em0/preproc_rules/decoder.rules(2) Invalid configuration line: ï
May 25 20:55:15 snort[46090]: FATAL ERROR: /usr/local/etc/snort/snort_36256_em0/preproc_rules/decoder.rules(2) Invalid configuration line: ï
May 25 20:55:11 SnortStartup[44176]: Snort STOP for Internet(36256_em0)…
May 25 20:52:42 SnortStartup[19872]: Snort START for Internet(36256_em0)…
May 25 20:52:42 snort[19705]: FATAL ERROR: /usr/local/etc/snort/snort_36256_em0/preproc_rules/decoder.rules(2) Invalid configuration line: ï
May 25 20:52:42 snort[19705]: FATAL ERROR: /usr/local/etc/snort/snort_36256_em0/preproc_rules/decoder.rules(2) Invalid configuration line: ï
May 25 20:52:38 SnortStartup[18021]: Snort STOP for Internet(36256_em0)…
May 25 20:06:45 SnortStartup[835]: Snort START for Internet(36256_em0)…
May 25 20:06:45 snort[690]: FATAL ERROR: /usr/local/etc/snort/snort_36256_em0/preproc_rules/decoder.rules(2) Invalid configuration line: ï
May 25 20:06:45 snort[690]: FATAL ERROR: /usr/local/etc/snort/snort_36256_em0/preproc_rules/decoder.rules(2) Invalid configuration line: ï

Supermule

After a reinstall of Snort, then everything is fine.

bmeeks

@Supermule:

After a reinstall of Snort, then everything is fine.

That error looks like perhaps you got hold of a corrupted rules file for the preprocessor text rules.  Can you tell if this coincided with an automatic rules update?  That file (decoder.rules) is used straight out of the archive downloaded and unpacked from Snort.org.  It is updated on each download of fresh rules from Snort.org.  My guess is either a borked download of the TAR file from Snort.org, or perhaps during the extraction and copying to the interface directory on the firewall it got trashed.

A reinstall of Snort would have wiped the existing file and downloaded a fresh copy.

Bill