StellarTech Blog

Recently I started to have issues with my snort rules not wanting to update and the snort service not wanting to stay running on my pfsense box. Taking a quick look at the forums I found several other with this problem and many different solutions the most prominent being to edit /etc/inc/system.inc. This fix seems to be hit and miss. Personally I did not want to edit unless I just needed to so I took the following approach.

Using the web UI it appears that snort would hang for a while before it would error out all together.

My first approach was to look into the logs. After finding nothing useful there I secure shelled into the machine and decided to launch snort from the command line to pinpoint exactly what was causing the problem.

Here is the command I used to launch snort:
snort -c /usr/local/etc/snort/snort.conf -l /var/log/snort -i ng0 -A full

Snort died instantly because it could not open /usr/local/etc/snort/rules/attack-responses.rules which means either the directory rules was missing or there might be a permissions problem. After running “ls -al /usr/local/etc/snort | grep rules” I found out that the rules directory was indeed missing. I recreated, chmod 755, and reran the snort update process. Everything worked afterwards.