Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort fails to start, error must enable 'extended_response_inspection'

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sentofuno
      last edited by

      Hi all,

      Snort has been refusing to start for me today, the relevant line from the log is this:

      snort[52143]: FATAL ERROR: /usr/local/etc/snort/snort_59221_fxp0/snort.conf(171) => Enable 'extended_response_inspection' inspection before setting 'inspect_gzip'

      Here is the HTTP section from /usr/local/etc/snort/snort.conf

      HTTP normalization and anomaly detection.  For more information, see README.http_inspect

      preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
      preprocessor http_inspect_server: server default
          chunk_length 500000
          server_flow_depth 0
          client_flow_depth 0
          post_depth 65495
      oversize_dir_length 500
          max_header_length 750
          max_headers 100
          ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181 8243 8280 8888 9090 9091 9443 9999 11371 }
          non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }
          enable_cookie
          extended_response_inspection
          inspect_gzip
          normalize_utf
          unlimited_decompress
          apache_whitespace no
          ascii no
          bare_byte no
      directory no
      double_decode no
      iis_backslash no
      iis_delimiter no
      iis_unicode no
      multi_slash no
        utf_8 no
      u_encode yes
      webroot no

      So it appears it is listed, beyond that I don't know what to look for, I'm hoping someone can help me. Thanks in advance.

      pfSense info:

      2.0 Release AMD64
      Snort 2.9.0.5 pkg v. 2.0

      SNORT.ORG >>>  "d94dd7f6ecc5d2c4fb215ce35b717921"
      EMERGINGTHREATS.NET >>>  f05ecb736d02e8e415a2db4e93377df9
      PFSENSE.ORG >>>  "e8a95fd5f1b40e878fedeffd585134bb"

      pfSense 2.0-RELEASE
      Intel Atom Motherboard D525MW + PCI Intel 10/100 NIC, 4GB RAM
      Packages: squid, snort

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        This issue as fixed yesterday by ermal, reinstall package.

        http://forum.pfsense.org/index.php/topic,37557.msg220087.html#msg220087

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • S
          sentofuno
          last edited by

          Thank you for that, it's working now.

          pfSense 2.0-RELEASE
          Intel Atom Motherboard D525MW + PCI Intel 10/100 NIC, 4GB RAM
          Packages: squid, snort

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.