Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort unable to open rules file

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 4 Posters 7.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sifter
      last edited by

      2.0.3-RELEASE (i386)
      built on Fri Apr 12 10:22:21 EDT 2013
      FreeBSD 8.1-RELEASE-p13

      snort 2.9.4.1 pkg v. 2.5.7

      I put in my oink code, downloaded the new rules files, and then tried to start the service.  Below is what I found in the system log.

      snort[46274]: FATAL ERROR: /usr/local/etc/snort/snort_50252_em1//usr/local/etc/snort/snort_50252_em1/rules/snort.rules(0) Unable to open rules file "/usr/local/etc/snort/snort_50252_em1//usr/local/etc/snort/snort_50252_em1/rules/snort.rules": No such file or directory.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I edited your post because it said "squid" when you meant "snort".

        Not sure about the missing rules, but the usual thing that fixes snort is to uninstall it completely, then reinstall it, and then download the rules files again.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @Sifter:

          2.0.3-RELEASE (i386)
          built on Fri Apr 12 10:22:21 EDT 2013
          FreeBSD 8.1-RELEASE-p13

          snort 2.9.4.1 pkg v. 2.5.7

          I put in my oink code, downloaded the new rules files, and then tried to start the service.  Below is what I found in the system log.

          snort[46274]: FATAL ERROR: /usr/local/etc/snort/snort_50252_em1//usr/local/etc/snort/snort_50252_em1/rules/snort.rules(0) Unable to open rules file "/usr/local/etc/snort/snort_50252_em1//usr/local/etc/snort/snort_50252_em1/rules/snort.rules": No such file or directory.

          jimp is correct, a delete and reinstall is a good first fix.  If this is a totally new install for you on this firewall, there are some prerequisite steps that must happen as well to properly generate the configuration file before attempting a start.  Following the steps in this post might help if that is the case:  http://forum.pfsense.org/index.php/topic,61018.msg328717.html#msg328717

          Bill

          1 Reply Last reply Reply Quote 0
          • S
            Supermule Banned
            last edited by

            I get this all of a sudden…

            May 25 20:55:15 snort[46090]: FATAL ERROR: /usr/local/etc/snort/snort_36256_em0/preproc_rules/decoder.rules(2) Invalid configuration line: ï
            May 25 20:55:15 snort[46090]: FATAL ERROR: /usr/local/etc/snort/snort_36256_em0/preproc_rules/decoder.rules(2) Invalid configuration line: ï
            May 25 20:55:11 SnortStartup[44176]: Snort STOP for Internet(36256_em0)…
            May 25 20:52:42 SnortStartup[19872]: Snort START for Internet(36256_em0)…
            May 25 20:52:42 snort[19705]: FATAL ERROR: /usr/local/etc/snort/snort_36256_em0/preproc_rules/decoder.rules(2) Invalid configuration line: ï
            May 25 20:52:42 snort[19705]: FATAL ERROR: /usr/local/etc/snort/snort_36256_em0/preproc_rules/decoder.rules(2) Invalid configuration line: ï
            May 25 20:52:38 SnortStartup[18021]: Snort STOP for Internet(36256_em0)…
            May 25 20:06:45 SnortStartup[835]: Snort START for Internet(36256_em0)…
            May 25 20:06:45 snort[690]: FATAL ERROR: /usr/local/etc/snort/snort_36256_em0/preproc_rules/decoder.rules(2) Invalid configuration line: ï
            May 25 20:06:45 snort[690]: FATAL ERROR: /usr/local/etc/snort/snort_36256_em0/preproc_rules/decoder.rules(2) Invalid configuration line: ï

            1 Reply Last reply Reply Quote 0
            • S
              Supermule Banned
              last edited by

              After a reinstall of Snort, then everything is fine.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @Supermule:

                After a reinstall of Snort, then everything is fine.

                That error looks like perhaps you got hold of a corrupted rules file for the preprocessor text rules.  Can you tell if this coincided with an automatic rules update?  That file (decoder.rules) is used straight out of the archive downloaded and unpacked from Snort.org.  It is updated on each download of fresh rules from Snort.org.  My guess is either a borked download of the TAR file from Snort.org, or perhaps during the extraction and copying to the interface directory on the firewall it got trashed.

                A reinstall of Snort would have wiped the existing file and downloaded a fresh copy.

                Bill

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.