Snort fatal error on start
-
After upgrading to pfsense 2.1.5-RELEASE with snort 2.9.6.2 pkg v3.1.2 snort is failing with a FATAL error message:
snort[20608]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_61603_re1/snort.conf(169) => Did not find specified IIS Unicode codemap in the specified IIS Unicode Map file.
Barnyard2 starts up no problem.
Any clue what's wrong here? I know what a Unicode Map file is, but I don't understand what the implication is.
Check for the file here:
/usr/pbi/snort-amd64/etc/snort
It should be there. If you see it, remount your filesystem in read/write mode and copy the unicode.map file to the subdirectory snort_61603_re1
I have not had a chance yet to upgrade any of my test VMs to 2.1.5, so I have not tried a Snort update with the latest pfSense security fix.
Bill
The unicode.map file is there and contains 1252 referenced in /usr/pbi/snort-amd64/etc/snort/snort_61603_re1/snort.conf(169).
I noticed one odd thing in that the unicode.map file has windows CR LF formatting, here's the Header:# Windows Version: 5.00.2195^M # OEM codepage: 437^M # ACP codepage: 1252^M ^M # INSTALLED CODEPAGES^M 10000 (MAC - Roman)^M . . .
I've had no reason to look at this before, but it seems odd to have a Windows sourced(?) and formatted file on a FreeBSD system.
You should not have CR/LF in that file. It should be UNIX (LF only). I have no idea how that could have happened, TBH. It's not that way on my full installs, but I am in America. Don't know if that makes any difference or not. Short term fix is to run the file through a DOS2UNIX utility (or you can do it with vi, but you will have to Google the syntax because I don't recall the details).
Bill
-
No it looks like that when I open it…
Yes, but does your map file have the "^M" at the end of each line if you open it in vi?
-
The only solution for me is to uncheck Settings will not be removed during package deinstallation and reinstall the package. The error is gone but i have to reconfigure everything …that sucks, but snort is working again.
-
The only solution for me is to uncheck Settings will not be removed during package deinstallation and reinstall the package. The error is gone but i have to reconfigure everything …that sucks, but snort is working again.
That indicates something got corrupted in the Snort section of the config.xml file. After you get your setup put back in place, pull off a backup of your firewall configuration and save it using the options under Diagnostics…Backup/Restore. Do the same each time you make any major changes to the firewall config (and when you make any changes to the Snort setup). This way, if you get a corrupted configuration, you can easily restore a "current" backup.
Bill
-
The only solution for me is to uncheck Settings will not be removed during package deinstallation and reinstall the package. The error is gone but i have to reconfigure everything …that sucks, but snort is working again.
That indicates something got corrupted in the Snort section of the config.xml file. After you get your setup put back in place, pull off a backup of your firewall configuration and save it using the options under Diagnostics…Backup/Restore. Do the same each time you make any major changes to the firewall config (and when you make any changes to the Snort setup). This way, if you get a corrupted configuration, you can easily restore a "current" backup.
Bill
Yeah it seems so. I noticed that there are less Categories now in Snort 3.1.2. For example ET Games, FTP etc. are now missing in 3.1.2 ?!. Maybe that corrupted the backup because they were there before the update.
-
The only solution for me is to uncheck Settings will not be removed during package deinstallation and reinstall the package. The error is gone but i have to reconfigure everything …that sucks, but snort is working again.
That indicates something got corrupted in the Snort section of the config.xml file. After you get your setup put back in place, pull off a backup of your firewall configuration and save it using the options under Diagnostics…Backup/Restore. Do the same each time you make any major changes to the firewall config (and when you make any changes to the Snort setup). This way, if you get a corrupted configuration, you can easily restore a "current" backup.
Bill
Yeah it seems so. I noticed that there are less Categories now in Snort 3.1.2. For example ET Games, FTP etc. are now missing in 3.1.2 ?!. Maybe that corrupted the backup because they were there before the update.
I would not think so. The Snort VRT sometimes deprecates file categories and removes them from the latest rules tarballs. That might be what happened to the rules you mentioned. The VRT has been on a mission this year to clean up some older rules, and if you looked in recent months you would have seen that several of the category files were actually empty (contained no defined rules).
Bill
-
FIXED!
It looks like the unicode.map file was bad, and not just the CR LF issue, it was missing many entries compared to the one posted here. (Just removing the CR LF problem didn't fix it) I copied the one from here (thanks Supermule!) and I also had to change the snort.conf iis unicode entry to 20127 from 1252 which didn't make sense as I'm in the US anyway.
I have no clue as to the root cause, but a package re-install didn't fix it, along with a restore from pre-2.1.5-RELEASE backup.
-
FIXED!
It looks like the unicode.map file was bad, and not just the CR LF issue, it was missing many entries compared to the one posted here. (Just removing the CR LF problem didn't fix it) I copied the one from here (thanks Supermule!) and I also had to change the snort.conf iix entry to 20127 from 1252 which didn't make sense as I'm in the US anyway.
I have no clue as to the root cause, but a package re-install didn't fix it, along with a restore from pre-2.1.5-RELEASE backup.
Glad you're fixed, but remember the entries in snort.conf for each interface are completely overwritten with each SAVE command or when stopping/starting the interfaces from the GUI. If you want to make more permanent changes, you have to edit (carefully !!!) the template file located here:
/usr/local/pkg/snort/snort_conf_template.inc
Don't touch anything in this file inside braces {}. Let me repeat – DO NOT TOUCH ANYTHING inside braces {}. If you do, the install can be really badly broken.
Other lines in there can be carefully edited to produce permanent changes. That's why I broke out the way the conf file is generated from being pure PHP code to this hybrid based on a template with placeholders for critical values passed via strings from the PHP code. That's what the things in braces "{}" are: those critical placeholders for configuration parameters coming from the GUI.
Bill
-
Turns out /usr/pbi/snort-amd64/etc/snort/snort_61603_re1/snort.conf had already reverted to:
# HTTP Inspect # preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 \
I couldn't find that section in /usr/local/pkg/snort/snort_conf_template.inc so I'm not sure where it's being pulled in from.
I still don't understand why it's using 1252 and apparently the unicode file replacement was the issue rather than the code page # used?
Is a puzzlement. ???
-
Turns out /usr/pbi/snort-amd64/etc/snort/snort_61603_re1/snort.conf had already reverted to:
# HTTP Inspect # preprocessor http_inspect: global \ iis_unicode_map unicode.map 1252 \
I couldn't find that section in /usr/local/pkg/snort/snort_conf_template.inc so I'm not sure where it's being pulled in from.
I still don't understand why it's using 1252 and apparently the unicode file replacement was the issue rather than the code page # used?
Is a puzzlement. ???
grep -n "iis_unicode_map" /usr/local/pkg/snort/*
snort_generate_conf.php:1229:$http_inspect_global .= "\\n\tiis_unicode_map unicode.map 1252 \\n";
Its on line 1229 of that file
-
Ah, it's obvious after you explain it, thanks! 8)
In any case it looks like the the sole issue was the corrupted unicode.map file. I have no idea how that could have happened. I presume someone's checked the one in the package?
-
Ah, it's obvious after you explain it, thanks! 8)
In any case it looks like the the sole issue was the corrupted unicode.map file. I have no idea how that could have happened. I presume someone's checked the one in the package?
My mistake on where the edit was. I was working from obviously faulty memory instead of actually looking it up. I forgot that the HTTP preprocessor configuration is built into a single large string variable that is then written to the conf file. Thanks BBcan177 for setting the OP on the right path.
I've done a number of fresh installs and upgrades on 2.1.x and 2.2-ALPHA pfSense virtual machines (along with my own production firewall) and never encountered this problem.
Bill
-
The hardware is a Netgate APU2 http://store.netgate.com/NetgateAPU2.aspx, the same as the VK-T40E in the pfSense store with 2GB RAM and an 8GB SD card. I know that's considered a little light for snort, but I've never seen any issues before. Could a resource exhaustion issue messed with install without leaving any log entries I've spotted?
-
The hardware is a Netgate APU2 http://store.netgate.com/NetgateAPU2.aspx, the same as the VK-T40E in the pfSense store with 2GB RAM and an 8GB SD card. I know that's considered a little light for snort, but I've never seen any issues before. Could a resource exhaustion issue messed with install without leaving any log entries I've spotted?
No, I doubt that low memory would corrupt the file. If you have a Netgate support contract, contact them and tell them about this issue with the corrupted file. There was a similar problem a few weeks back caused by some kind of failure between two servers at ESF/Netgate. It might be messed up again, or it could have just been a temporary glitch.
Bill
-
Check for the file here:
/usr/pbi/snort-amd64/etc/snort
It should be there. If you see it, remount your filesystem in read/write mode and copy the unicode.map file to the subdirectory snort_61603_re1
I have not had a chance yet to upgrade any of my test VMs to 2.1.5, so I have not tried a Snort update with the latest pfSense security fix.
Bill
Hi,
I have the file but it is empty. What can I do?
[2.1.5-RELEASE][admin@firewall]/root(1): find / -type f -name unicode.map | xargs ls -l
-rw-r–r-- 1 root wheel 0 Sep 12 00:09 /usr/pbi/snort-i386/etc/snort/snort_23326_rl0/unicode.map
-rw-r--r-- 1 root wheel 0 Sep 12 00:08 /usr/pbi/snort-i386/etc/snort/snort_43270_rl1/unicode.map
-r--r--r-- 1 root wheel 0 Sep 12 00:07 /usr/pbi/snort-i386/etc/snort/unicode.mapThanks,
Stenio -
Check for the file here:
/usr/pbi/snort-amd64/etc/snort
It should be there. If you see it, remount your filesystem in read/write mode and copy the unicode.map file to the subdirectory snort_61603_re1
I have not had a chance yet to upgrade any of my test VMs to 2.1.5, so I have not tried a Snort update with the latest pfSense security fix.
Bill
Hi,
I have the file but it is empty. What can I do?
[2.1.5-RELEASE][admin@firewall]/root(1): find / -type f -name unicode.map | xargs ls -l
-rw-r–r-- 1 root wheel 0 Sep 12 00:09 /usr/pbi/snort-i386/etc/snort/snort_23326_rl0/unicode.map
-rw-r--r-- 1 root wheel 0 Sep 12 00:08 /usr/pbi/snort-i386/etc/snort/snort_43270_rl1/unicode.map
-r--r--r-- 1 root wheel 0 Sep 12 00:07 /usr/pbi/snort-i386/etc/snort/unicode.mapThanks,
StenioGo to this post my Supermule and copy and paste the contents of his unicode.map file that he generously posted into yours.
https://forum.pfsense.org/index.php?topic=81067.msg442689#msg442689
If removing and reinstalling the package is not bringing you an updated file (one that is not zero-length), then the above copy-paste is the next best option.
Bill
-
Go to this post my Supermule and copy and paste the contents of his unicode.map file that he generously posted into yours.
https://forum.pfsense.org/index.php?topic=81067.msg442689#msg442689
If removing and reinstalling the package is not bringing you an updated file (one that is not zero-length), then the above copy-paste is the next best option.
Bill
Thank you Bill, it works.
-
Go to this post my Supermule and copy and paste the contents of his unicode.map file that he generously posted into yours.
https://forum.pfsense.org/index.php?topic=81067.msg442689#msg442689
If removing and reinstalling the package is not bringing you an updated file (one that is not zero-length), then the above copy-paste is the next best option.
Bill
Thank you Bill, it works.
Glad it worked for you. BTW, I meant to type "by" instead of "my" in the reply up above… :-[
-
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
-
I'm now having the same problem. For grins and giggles trying:
Backup
De-Install snort
Backup
reinstall pfsenseAnd then we'll see if a reinstall of snort fixes the issue.
-
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
I have not noticed the problem on my box, but I use both the Snort VRT rules and the Emerging Threats Open rules.
You want to make sure a good master copy of that file resides in the main Snort directory here:
/usr/pbi/snort-{arch}/etc/snort
where {arch} is either i386 or amd-64.
Also, just to help troubleshoot, enable the ET-OPEN rules on the GLOBAL SETTINGS tab and do a manual update (click the UPDATE button on the UPDATES tab). You don't have to actually enable any of the ET-OPEN rules, but I just want to see if they will provide a good copy of the missing unicode.map file.
Bill
-
Hi,
Suddenly every time I start snort I get the following error: :'(
FATAL ERROR: Failed to load /usr/pbi/snort-i386/lib/snort/dynamicrules/protocol-dns.so: /usr/pbi/snort-i386/lib/snort/dynamicrules/protocol-dns.so: invalid file format
I think that the problem is related to the upgrade from 2.1.4 to 2.1.5.
Do you have any ideas?
Thanks,
Stenio -
Hi,
Suddenly every time I start snort I get the following error: :'(
FATAL ERROR: Failed to load /usr/pbi/snort-i386/lib/snort/dynamicrules/protocol-dns.so: /usr/pbi/snort-i386/lib/snort/dynamicrules/protocol-dns.so: invalid file format
I think that the problem is related to the upgrade from 2.1.4 to 2.1.5.
Do you have any ideas?
Thanks,
StenioMy guess is that during the automatic package removal and re-install operation that occurs during a pfSense upgrade, one or more of the Snort binary files in the PBI got corrupted upon the re-install. The file it is complaining about is one of the binary shared-object rule files. It is true this file is updated with each rules update as well, so it may have gotten corrupted then.
Try these steps:
First, force a total new download of Snort rules by going to the UPDATES tab and clicking the FORCE button.
If that does not fix it, (it really should, though), then try removing and re-installing the Snort package. This step really should not be necessary, though.
Bill
-
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
I did a complete reinstall of pfsense and snort. I can't even start snort the first time… all i get is the FATAL ERROR.
Something seems really f***** up with Netgate APU & pfsense 2.1.5 & snort. I never had any problems before pfsense 2.1.5. Even on the older Netgate m1n1wall i had no problems for years.
So if a fresh install didn't fix the issue then it's really f***** up somewhere.
-
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
I did a complete reinstall of pfsense and snort. I can't even start snort the first time… all i get is the FATAL ERROR.
Something seems really f***** up with Netgate APU & pfsense 2.1.5 & snort. I never had any problems before pfsense 2.1.5. Even on the older Netgate m1n1wall i had no problems for years.
So if a fresh install didn't fix the issue then it's really f***** up somewhere.
I will pass this along to the Netgate guys. One time in the past there was a temporary issue similar to this. Perhaps it has occurred again. BTW, if you have a support contract with Netgate, you could certainly contact them about your issue. That may be faster than my e-mail to them.
Bill
-
I suffer the same problem. In an attempt to resolve this I uninstall and then try to reinstall snort but it does not reinstall:
Installation of snort FAILED!
Beginning package installation for snort .
Downloading package configuration file… done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/8/All/snort-2.9.6.2-i386.pbi ... (extracting)
Loading package configuration... done.
Configuring package components...
Additional files... snort_sync.xml failed.
Removing package...
Starting package deletion for snort-2.9.6.2-i386...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
done.
Failed to install package.Installation halted.
Is there any solution yet?
-
2nd reinstall attempt no longer failed, but the original error persists:
Sep 17 16:49:51 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 12306 -D -q -l /var/log/snort/snort_em1_vlan112306 –pid-path /var/run --nolock-pidfile -G 12306 -c /usr/pbi/snort-i386/etc/snort/snort_12306_em1_vlan1/snort.conf -i em1_vlan1' returned exit code '1', the output was ''
Sep 17 16:49:51 snort[30106]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_12306_em1_vlan1/snort.conf(169) => Did not find specified IIS Unicode codemap in the specified IIS Unicode Map file.
Version 2.1.5-RELEASE (i386)
built on Mon Aug 25 07:44:26 EDT 2014
FreeBSD 8.3-RELEASE-p16CPU Type Intel(R) Atom(TM) CPU D410 @ 1.66GHz
Current: 207 MHz, Max: 1659 MHzMemory usage 10% of 2011 MB
Disk usage 31% of 1.8G
-
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
I did a complete reinstall of pfsense and snort. I can't even start snort the first time… all i get is the FATAL ERROR.
Something seems really f***** up with Netgate APU & pfsense 2.1.5 & snort. I never had any problems before pfsense 2.1.5. Even on the older Netgate m1n1wall i had no problems for years.
So if a fresh install didn't fix the issue then it's really f***** up somewhere.
I will pass this along to the Netgate guys. One time in the past there was a temporary issue similar to this. Perhaps it has occurred again. BTW, if you have a support contract with Netgate, you could certainly contact them about your issue. That may be faster than my e-mail to them.
Bill
Yes i have a support contract with Netgate. I thought that this is related to just a package so they can't help anyway. But it seems that only Netgate APUs are affected so i contacted the support about the issue.
I will post the answer here is they are aware of it. Let me know what they told you.
-
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
I did a complete reinstall of pfsense and snort. I can't even start snort the first time… all i get is the FATAL ERROR.
Something seems really f***** up with Netgate APU & pfsense 2.1.5 & snort. I never had any problems before pfsense 2.1.5. Even on the older Netgate m1n1wall i had no problems for years.
So if a fresh install didn't fix the issue then it's really f***** up somewhere.
I will pass this along to the Netgate guys. One time in the past there was a temporary issue similar to this. Perhaps it has occurred again. BTW, if you have a support contract with Netgate, you could certainly contact them about your issue. That may be faster than my e-mail to them.
Bill
Yes i have a support contract with Netgate. I thought that this is related to just a package so they can't help anyway. But it seems that only Netgate APUs are affected so i contacted the support about the issue.
I will post the answer here is they are aware of it. Let me know what they told you.
I passed along a link to this thread and notified them some users were having issues and what I thought the issue might be. They acknowledged receipt and said they would look into it. I provided them my personal contact information if something else was needed from me or if it was later determined the problem was something I might need to fix within the Snort package.
Bill
-
My guess is that during the automatic package removal and re-install operation that occurs during a pfSense upgrade, one or more of the Snort binary files in the PBI got corrupted upon the re-install. The file it is complaining about is one of the binary shared-object rule files. It is true this file is updated with each rules update as well, so it may have gotten corrupted then.
Try these steps:
First, force a total new download of Snort rules by going to the UPDATES tab and clicking the FORCE button.
If that does not fix it, (it really should, though), then try removing and re-installing the Snort package. This step really should not be necessary, though.
Bill
I forced the rules updating but it didn't work. Same result reinstalling the package keeping the old settings.
I see from the log that snort exits with a signal 11:Sep 20 12:04:47 barnyard2[99050]: Waiting for new data
Sep 20 12:04:47 barnyard2[99050]: Opened spool file '/var/log/snort/snort_rl023326/snort_23326_rl0.u2.1410818949'
Sep 20 12:04:47 barnyard2[99050]: Using waldo file '/var/log/snort/snort_rl023326/barnyard2/23326_rl0.waldo': spool directory = /var/log/snort/snort_rl023326 spool filebase = snort_23326_rl0.u2 time_stamp = 1410818949 record_idx = 28
Sep 20 12:04:47 barnyard2[99050]: Barnyard2 initialization completed successfully (pid=99050)
Sep 20 12:04:47 barnyard2[99050]: –== Initialization Complete ==--
Sep 20 12:04:47 barnyard2[99050]:
Sep 20 12:04:47 barnyard2[99050]: Writing PID "99050" to file "/var/run/barnyard2_rl023326.pid"
Sep 20 12:04:47 barnyard2[99050]: PID path stat checked out ok, PID path set to /var/run
Sep 20 12:04:47 barnyard2[98746]: Daemon parent exiting
Sep 20 12:04:47 barnyard2[99050]: Daemon initialized, signaled parent pid: 98746
Sep 20 12:04:47 barnyard2[98746]: Initializing daemon mode
Sep 20 12:04:47 barnyard2[98746]: Log directory = /var/log/snort/snort_rl023326
Sep 20 12:04:47 barnyard2[98746]: Barnyard2 spooler: Event cache size set to [8192]
Sep 20 12:04:46 barnyard2[98746]: –-------------------------- +[ Signature Suppress list ]+
Sep 20 12:04:46 barnyard2[98746]: +[No entry in Signature Suppress List]+
Sep 20 12:04:46 barnyard2[98746]: +[ Signature Suppress list ]+ –--------------------------
Sep 20 12:04:46 barnyard2[98746]: Found pid path directive (/var/run)
Sep 20 12:04:46 barnyard2[98746]: Parsing config file "/usr/pbi/snort-i386/etc/snort/snort_23326_rl0/barnyard2.conf"
Sep 20 12:04:46 barnyard2[98746]: Initializing Output Plugins!
Sep 20 12:04:46 barnyard2[98746]: Initializing Input Plugins!
Sep 20 12:04:46 barnyard2[98746]: –== Initializing Barnyard2 ==--
Sep 20 12:04:46 barnyard2[98746]:
Sep 20 12:04:46 barnyard2[98746]: Running in Continuous mode
Sep 20 12:04:46 barnyard2[98746]: Found pid path directive (/var/run)
Sep 20 12:04:46 SnortStartup[98424]: Barnyard2 START for Snort su LAN(23326_rl0)…
Sep 20 12:04:44 kernel: pid 91088 (snort), uid 0: exited on signal 11
Sep 20 12:04:44 barnyard2[90144]: Waiting for new data
Sep 20 12:04:44 barnyard2[90144]: Opened spool file '/var/log/snort/snort_rl143270/snort_43270_rl1.u2.1410818919'
Sep 20 12:04:44 barnyard2[90144]: Using waldo file '/var/log/snort/snort_rl143270/barnyard2/43270_rl1.waldo': spool directory = /var/log/snort/snort_rl143270 spool filebase = snort_43270_rl1.u2 time_stamp = 1410818919 record_idx = 26
Sep 20 12:04:44 barnyard2[90144]: Barnyard2 initialization completed successfully (pid=90144)
Sep 20 12:04:44 SnortStartup[90747]: Snort START for Snort su LAN(23326_rl0)…
Sep 20 12:04:44 barnyard2[90144]: –== Initialization Complete ==--
Sep 20 12:04:44 barnyard2[90144]:
Sep 20 12:04:44 barnyard2[90144]: Writing PID "90144" to file "/var/run/barnyard2_rl143270.pid"
Sep 20 12:04:44 barnyard2[90144]: PID path stat checked out ok, PID path set to /var/run
Sep 20 12:04:44 barnyard2[90144]: Daemon initialized, signaled parent pid: 87874
Sep 20 12:04:44 barnyard2[87874]: Daemon parent exiting
Sep 20 12:04:44 barnyard2[87874]: Initializing daemon mode
Sep 20 12:04:44 barnyard2[87874]: Log directory = /var/log/snort/snort_rl143270
Sep 20 12:04:44 barnyard2[87874]: Barnyard2 spooler: Event cache size set to [8192]
Sep 20 12:04:44 barnyard2[87874]: –-------------------------- +[ Signature Suppress list ]+
Sep 20 12:04:44 barnyard2[87874]: +[No entry in Signature Suppress List]+
Sep 20 12:04:44 barnyard2[87874]: +[ Signature Suppress list ]+ –--------------------------
Sep 20 12:04:44 barnyard2[87874]: Found pid path directive (/var/run)
Sep 20 12:04:44 barnyard2[87874]: Parsing config file "/usr/pbi/snort-i386/etc/snort/snort_43270_rl1/barnyard2.conf"
Sep 20 12:04:44 barnyard2[87874]: Initializing Output Plugins!
Sep 20 12:04:44 barnyard2[87874]: Initializing Input Plugins!
Sep 20 12:04:44 barnyard2[87874]: –== Initializing Barnyard2 ==--
Sep 20 12:04:44 barnyard2[87874]:Quite strange!
-
If you use Barnyard2, maybe disable that Feature, and then do your Upgrade to see if you can atleast get it upgraded? Re-enable Barnyard after that?
-
If you use Barnyard2, maybe disable that Feature, and then do your Upgrade to see if you can atleast get it upgraded? Re-enable Barnyard after that?
Tried but same result:
Sep 22 10:03:03 kernel: pid 7377 (snort), uid 0: exited on signal 11
Sep 22 10:03:02 SnortStartup[7290]: Snort START for Snort su LAN(23326_rl0)…
Sep 22 10:03:01 kernel: pid 6966 (snort), uid 0: exited on signal 11
Sep 22 10:03:00 SnortStartup[6686]: Snort START for Snort su WAN(43270_rl1)…
Sep 22 09:45:54 check_reload_status: Reloading filter
Sep 22 09:45:39 kernel: pid 26501 (snort), uid 0: exited on signal 11
Sep 22 09:45:39 SnortStartup[26164]: Snort START for Snort su LAN(23326_rl0)…
Sep 22 09:45:39 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
Sep 22 09:45:37 kernel: pid 24335 (snort), uid 0: exited on signal 11
Sep 22 09:45:37 SnortStartup[24035]: Snort START for Snort su WAN(43270_rl1)…
Sep 22 09:45:37 php: /pkg_mgr_install.php: [Snort] Starting Snort using rebuilt configuration…
Sep 22 09:45:37 php: /pkg_mgr_install.php: [Snort] Finished rebuilding installation from saved settings…I think that I need to purge the configuration... :'(
Thanks,
Stenio -
I think that I need to purge the configuration… :'(
Configuration purged and reinstalled. Now it works properly.
Thanks,
Stenio -
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
I did a complete reinstall of pfsense and snort. I can't even start snort the first time… all i get is the FATAL ERROR.
Something seems really f***** up with Netgate APU & pfsense 2.1.5 & snort. I never had any problems before pfsense 2.1.5. Even on the older Netgate m1n1wall i had no problems for years.
So if a fresh install didn't fix the issue then it's really f***** up somewhere.
I will pass this along to the Netgate guys. One time in the past there was a temporary issue similar to this. Perhaps it has occurred again. BTW, if you have a support contract with Netgate, you could certainly contact them about your issue. That may be faster than my e-mail to them.
Bill
Yes i have a support contract with Netgate. I thought that this is related to just a package so they can't help anyway. But it seems that only Netgate APUs are affected so i contacted the support about the issue.
I will post the answer here is they are aware of it. Let me know what they told you.
I passed along a link to this thread and notified them some users were having issues and what I thought the issue might be. They acknowledged receipt and said they would look into it. I provided them my personal contact information if something else was needed from me or if it was later determined the problem was something I might need to fix within the Snort package.
Bill
I finally got an answer:
I see you purchased an APU with NanoBSD pfSense installed on an SD card. Snort and many other packages will not function on pfSense when installed on a SD card. A full installation of pfSense is required and to do so, pfSense must be installed on an SSD.
Your options are limited. If Snort is essential, you will need an mSATA SSD drive with pfSense installed. We could sell you an mSATA drive, preloaded with pfSense 2.1.5. Otherwise, you could reset your device to factory default settings and operate without Snort.
–--------------
That's it. Not really hepful because it worked fine prior to pfsense 2.1.5. So i guess it can't be fixed then.
-T5000
-
Thats a REALLY weird answer since it worked on 2.1.4…..
-
Thats a REALLY weird answer since it worked on 2.1.4…..
Yes, it worked very well for months.
-
Thats a REALLY weird answer since it worked on 2.1.4…..
Yes, it worked very well for months.
One thing that has slowly been changing is the growth in the number of rules as different exploits are handled by rules updates. The amount of free space required to unpack and install everything incrementally increases. Same goes for the binary parts of some packages (the PBI files). These must be downloaded, unzipped, and then installed. That takes additional disk space. Compared to a full SSD or HD install, there is not much space on CF (NanoBSD) installs due to the default partition layouts. What is happening, I think, is the package installer is running out of space and silently failing in a number of different ways depending on exactly where in the install process it runs out of disk space.
Bill
-
Today I found snort not running. If I start it I see:
Sep 29 15:50:28 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 39369 -D -q -l /var/log/snort/snort_rl139369 –pid-path /var/run --nolock-pidfile -G 39369 -c /usr/pbi/snort-i386/etc/snort/snort_39369_rl1/snort.conf -i rl1' returned exit code '1', the output was ''
Sep 29 15:50:28 snort[13094]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_39369_rl1/snort.conf(169) => Did not find specified IIS Unicode codemap in the specified IIS Unicode Map file.
Sep 29 15:50:27 php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(rl1)…It worked for a few days after a complete reinstall. I'm using nanobsd but I have 1.4 GB of free space:
$ df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ufs/pfsense0 1.8G 271M 1.4G 16% /
devfs 1.0k 1.0k 0B 100% /dev
/dev/ufs/cf 49M 5.2M 40M 11% /cf
/dev/md0 38M 2.2M 33M 6% /tmp
/dev/md1 57M 23M 30M 44% /var
devfs 1.0k 1.0k 0B 100% /var/dhcpd/devWhat can I do?
Thanks,
Stenio -
Today I found snort not running. If I start it I see:
Sep 29 15:50:28 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 39369 -D -q -l /var/log/snort/snort_rl139369 –pid-path /var/run --nolock-pidfile -G 39369 -c /usr/pbi/snort-i386/etc/snort/snort_39369_rl1/snort.conf -i rl1' returned exit code '1', the output was ''
Sep 29 15:50:28 snort[13094]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_39369_rl1/snort.conf(169) => Did not find specified IIS Unicode codemap in the specified IIS Unicode Map file.
Sep 29 15:50:27 php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(rl1)…It worked for a few days after a complete reinstall. I'm using nanobsd but I have 1.4 GB of free space:
$ df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ufs/pfsense0 1.8G 271M 1.4G 16% /
devfs 1.0k 1.0k 0B 100% /dev
/dev/ufs/cf 49M 5.2M 40M 11% /cf
/dev/md0 38M 2.2M 33M 6% /tmp
/dev/md1 57M 23M 30M 44% /var
devfs 1.0k 1.0k 0B 100% /var/dhcpd/devWhat can I do?
Thanks,
StenioWell, while I'm sure it's not what you want to hear, I would ditch Nano and go the full-install route on a hard disk (either SSD or conventional). I suspect that will end your problems. There are lots of users here running Snort on conventional full installs with no issues.
If you want to stay with Nano, then I suggest ditching the Snort package (and Suricata as well). I think you are going to face continual problems otherwise. What probably happened to you is an updated Snort VRT rules package downloaded, and due to the issues with Nano, did not unzip and install itself correctly. The unicode.map file is probably corrupted again.
Bill
-
Well, while I'm sure it's not what you want to hear, I would ditch Nano and go the full-install route on a hard disk (either SSD or conventional). I suspect that will end your problems. There are lots of users here running Snort on conventional full installs with no issues.
OUCH!!! :'(