Snort fatal error on start
-
Check for the file here:
/usr/pbi/snort-amd64/etc/snort
It should be there. If you see it, remount your filesystem in read/write mode and copy the unicode.map file to the subdirectory snort_61603_re1
I have not had a chance yet to upgrade any of my test VMs to 2.1.5, so I have not tried a Snort update with the latest pfSense security fix.
Bill
Hi,
I have the file but it is empty. What can I do?
[2.1.5-RELEASE][admin@firewall]/root(1): find / -type f -name unicode.map | xargs ls -l
-rw-r–r-- 1 root wheel 0 Sep 12 00:09 /usr/pbi/snort-i386/etc/snort/snort_23326_rl0/unicode.map
-rw-r--r-- 1 root wheel 0 Sep 12 00:08 /usr/pbi/snort-i386/etc/snort/snort_43270_rl1/unicode.map
-r--r--r-- 1 root wheel 0 Sep 12 00:07 /usr/pbi/snort-i386/etc/snort/unicode.mapThanks,
Stenio -
Check for the file here:
/usr/pbi/snort-amd64/etc/snort
It should be there. If you see it, remount your filesystem in read/write mode and copy the unicode.map file to the subdirectory snort_61603_re1
I have not had a chance yet to upgrade any of my test VMs to 2.1.5, so I have not tried a Snort update with the latest pfSense security fix.
Bill
Hi,
I have the file but it is empty. What can I do?
[2.1.5-RELEASE][admin@firewall]/root(1): find / -type f -name unicode.map | xargs ls -l
-rw-r–r-- 1 root wheel 0 Sep 12 00:09 /usr/pbi/snort-i386/etc/snort/snort_23326_rl0/unicode.map
-rw-r--r-- 1 root wheel 0 Sep 12 00:08 /usr/pbi/snort-i386/etc/snort/snort_43270_rl1/unicode.map
-r--r--r-- 1 root wheel 0 Sep 12 00:07 /usr/pbi/snort-i386/etc/snort/unicode.mapThanks,
StenioGo to this post my Supermule and copy and paste the contents of his unicode.map file that he generously posted into yours.
https://forum.pfsense.org/index.php?topic=81067.msg442689#msg442689
If removing and reinstalling the package is not bringing you an updated file (one that is not zero-length), then the above copy-paste is the next best option.
Bill
-
Go to this post my Supermule and copy and paste the contents of his unicode.map file that he generously posted into yours.
https://forum.pfsense.org/index.php?topic=81067.msg442689#msg442689
If removing and reinstalling the package is not bringing you an updated file (one that is not zero-length), then the above copy-paste is the next best option.
Bill
Thank you Bill, it works.
-
Go to this post my Supermule and copy and paste the contents of his unicode.map file that he generously posted into yours.
https://forum.pfsense.org/index.php?topic=81067.msg442689#msg442689
If removing and reinstalling the package is not bringing you an updated file (one that is not zero-length), then the above copy-paste is the next best option.
Bill
Thank you Bill, it works.
Glad it worked for you. BTW, I meant to type "by" instead of "my" in the reply up above… :-[
-
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
-
I'm now having the same problem. For grins and giggles trying:
Backup
De-Install snort
Backup
reinstall pfsenseAnd then we'll see if a reinstall of snort fixes the issue.
-
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
I have not noticed the problem on my box, but I use both the Snort VRT rules and the Emerging Threats Open rules.
You want to make sure a good master copy of that file resides in the main Snort directory here:
/usr/pbi/snort-{arch}/etc/snort
where {arch} is either i386 or amd-64.
Also, just to help troubleshoot, enable the ET-OPEN rules on the GLOBAL SETTINGS tab and do a manual update (click the UPDATE button on the UPDATES tab). You don't have to actually enable any of the ET-OPEN rules, but I just want to see if they will provide a good copy of the missing unicode.map file.
Bill
-
Hi,
Suddenly every time I start snort I get the following error: :'(
FATAL ERROR: Failed to load /usr/pbi/snort-i386/lib/snort/dynamicrules/protocol-dns.so: /usr/pbi/snort-i386/lib/snort/dynamicrules/protocol-dns.so: invalid file format
I think that the problem is related to the upgrade from 2.1.4 to 2.1.5.
Do you have any ideas?
Thanks,
Stenio -
Hi,
Suddenly every time I start snort I get the following error: :'(
FATAL ERROR: Failed to load /usr/pbi/snort-i386/lib/snort/dynamicrules/protocol-dns.so: /usr/pbi/snort-i386/lib/snort/dynamicrules/protocol-dns.so: invalid file format
I think that the problem is related to the upgrade from 2.1.4 to 2.1.5.
Do you have any ideas?
Thanks,
StenioMy guess is that during the automatic package removal and re-install operation that occurs during a pfSense upgrade, one or more of the Snort binary files in the PBI got corrupted upon the re-install. The file it is complaining about is one of the binary shared-object rule files. It is true this file is updated with each rules update as well, so it may have gotten corrupted then.
Try these steps:
First, force a total new download of Snort rules by going to the UPDATES tab and clicking the FORCE button.
If that does not fix it, (it really should, though), then try removing and re-installing the Snort package. This step really should not be necessary, though.
Bill
-
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
I did a complete reinstall of pfsense and snort. I can't even start snort the first time… all i get is the FATAL ERROR.
Something seems really f***** up with Netgate APU & pfsense 2.1.5 & snort. I never had any problems before pfsense 2.1.5. Even on the older Netgate m1n1wall i had no problems for years.
So if a fresh install didn't fix the issue then it's really f***** up somewhere.
-
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
I did a complete reinstall of pfsense and snort. I can't even start snort the first time… all i get is the FATAL ERROR.
Something seems really f***** up with Netgate APU & pfsense 2.1.5 & snort. I never had any problems before pfsense 2.1.5. Even on the older Netgate m1n1wall i had no problems for years.
So if a fresh install didn't fix the issue then it's really f***** up somewhere.
I will pass this along to the Netgate guys. One time in the past there was a temporary issue similar to this. Perhaps it has occurred again. BTW, if you have a support contract with Netgate, you could certainly contact them about your issue. That may be faster than my e-mail to them.
Bill
-
I suffer the same problem. In an attempt to resolve this I uninstall and then try to reinstall snort but it does not reinstall:
Installation of snort FAILED!
Beginning package installation for snort .
Downloading package configuration file… done.
Saving updated package information... done.
Downloading snort and its dependencies...
Checking for package installation...
Downloading https://files.pfsense.org/packages/8/All/snort-2.9.6.2-i386.pbi ... (extracting)
Loading package configuration... done.
Configuring package components...
Additional files... snort_sync.xml failed.
Removing package...
Starting package deletion for snort-2.9.6.2-i386...done.
Removing snort components...
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
done.
Failed to install package.Installation halted.
Is there any solution yet?
-
2nd reinstall attempt no longer failed, but the original error persists:
Sep 17 16:49:51 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 12306 -D -q -l /var/log/snort/snort_em1_vlan112306 –pid-path /var/run --nolock-pidfile -G 12306 -c /usr/pbi/snort-i386/etc/snort/snort_12306_em1_vlan1/snort.conf -i em1_vlan1' returned exit code '1', the output was ''
Sep 17 16:49:51 snort[30106]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_12306_em1_vlan1/snort.conf(169) => Did not find specified IIS Unicode codemap in the specified IIS Unicode Map file.
Version 2.1.5-RELEASE (i386)
built on Mon Aug 25 07:44:26 EDT 2014
FreeBSD 8.3-RELEASE-p16CPU Type Intel(R) Atom(TM) CPU D410 @ 1.66GHz
Current: 207 MHz, Max: 1659 MHzMemory usage 10% of 2011 MB
Disk usage 31% of 1.8G
-
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
I did a complete reinstall of pfsense and snort. I can't even start snort the first time… all i get is the FATAL ERROR.
Something seems really f***** up with Netgate APU & pfsense 2.1.5 & snort. I never had any problems before pfsense 2.1.5. Even on the older Netgate m1n1wall i had no problems for years.
So if a fresh install didn't fix the issue then it's really f***** up somewhere.
I will pass this along to the Netgate guys. One time in the past there was a temporary issue similar to this. Perhaps it has occurred again. BTW, if you have a support contract with Netgate, you could certainly contact them about your issue. That may be faster than my e-mail to them.
Bill
Yes i have a support contract with Netgate. I thought that this is related to just a package so they can't help anyway. But it seems that only Netgate APUs are affected so i contacted the support about the issue.
I will post the answer here is they are aware of it. Let me know what they told you.
-
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
I did a complete reinstall of pfsense and snort. I can't even start snort the first time… all i get is the FATAL ERROR.
Something seems really f***** up with Netgate APU & pfsense 2.1.5 & snort. I never had any problems before pfsense 2.1.5. Even on the older Netgate m1n1wall i had no problems for years.
So if a fresh install didn't fix the issue then it's really f***** up somewhere.
I will pass this along to the Netgate guys. One time in the past there was a temporary issue similar to this. Perhaps it has occurred again. BTW, if you have a support contract with Netgate, you could certainly contact them about your issue. That may be faster than my e-mail to them.
Bill
Yes i have a support contract with Netgate. I thought that this is related to just a package so they can't help anyway. But it seems that only Netgate APUs are affected so i contacted the support about the issue.
I will post the answer here is they are aware of it. Let me know what they told you.
I passed along a link to this thread and notified them some users were having issues and what I thought the issue might be. They acknowledged receipt and said they would look into it. I provided them my personal contact information if something else was needed from me or if it was later determined the problem was something I might need to fix within the Snort package.
Bill
-
My guess is that during the automatic package removal and re-install operation that occurs during a pfSense upgrade, one or more of the Snort binary files in the PBI got corrupted upon the re-install. The file it is complaining about is one of the binary shared-object rule files. It is true this file is updated with each rules update as well, so it may have gotten corrupted then.
Try these steps:
First, force a total new download of Snort rules by going to the UPDATES tab and clicking the FORCE button.
If that does not fix it, (it really should, though), then try removing and re-installing the Snort package. This step really should not be necessary, though.
Bill
I forced the rules updating but it didn't work. Same result reinstalling the package keeping the old settings.
I see from the log that snort exits with a signal 11:Sep 20 12:04:47 barnyard2[99050]: Waiting for new data
Sep 20 12:04:47 barnyard2[99050]: Opened spool file '/var/log/snort/snort_rl023326/snort_23326_rl0.u2.1410818949'
Sep 20 12:04:47 barnyard2[99050]: Using waldo file '/var/log/snort/snort_rl023326/barnyard2/23326_rl0.waldo': spool directory = /var/log/snort/snort_rl023326 spool filebase = snort_23326_rl0.u2 time_stamp = 1410818949 record_idx = 28
Sep 20 12:04:47 barnyard2[99050]: Barnyard2 initialization completed successfully (pid=99050)
Sep 20 12:04:47 barnyard2[99050]: –== Initialization Complete ==--
Sep 20 12:04:47 barnyard2[99050]:
Sep 20 12:04:47 barnyard2[99050]: Writing PID "99050" to file "/var/run/barnyard2_rl023326.pid"
Sep 20 12:04:47 barnyard2[99050]: PID path stat checked out ok, PID path set to /var/run
Sep 20 12:04:47 barnyard2[98746]: Daemon parent exiting
Sep 20 12:04:47 barnyard2[99050]: Daemon initialized, signaled parent pid: 98746
Sep 20 12:04:47 barnyard2[98746]: Initializing daemon mode
Sep 20 12:04:47 barnyard2[98746]: Log directory = /var/log/snort/snort_rl023326
Sep 20 12:04:47 barnyard2[98746]: Barnyard2 spooler: Event cache size set to [8192]
Sep 20 12:04:46 barnyard2[98746]: –-------------------------- +[ Signature Suppress list ]+
Sep 20 12:04:46 barnyard2[98746]: +[No entry in Signature Suppress List]+
Sep 20 12:04:46 barnyard2[98746]: +[ Signature Suppress list ]+ –--------------------------
Sep 20 12:04:46 barnyard2[98746]: Found pid path directive (/var/run)
Sep 20 12:04:46 barnyard2[98746]: Parsing config file "/usr/pbi/snort-i386/etc/snort/snort_23326_rl0/barnyard2.conf"
Sep 20 12:04:46 barnyard2[98746]: Initializing Output Plugins!
Sep 20 12:04:46 barnyard2[98746]: Initializing Input Plugins!
Sep 20 12:04:46 barnyard2[98746]: –== Initializing Barnyard2 ==--
Sep 20 12:04:46 barnyard2[98746]:
Sep 20 12:04:46 barnyard2[98746]: Running in Continuous mode
Sep 20 12:04:46 barnyard2[98746]: Found pid path directive (/var/run)
Sep 20 12:04:46 SnortStartup[98424]: Barnyard2 START for Snort su LAN(23326_rl0)…
Sep 20 12:04:44 kernel: pid 91088 (snort), uid 0: exited on signal 11
Sep 20 12:04:44 barnyard2[90144]: Waiting for new data
Sep 20 12:04:44 barnyard2[90144]: Opened spool file '/var/log/snort/snort_rl143270/snort_43270_rl1.u2.1410818919'
Sep 20 12:04:44 barnyard2[90144]: Using waldo file '/var/log/snort/snort_rl143270/barnyard2/43270_rl1.waldo': spool directory = /var/log/snort/snort_rl143270 spool filebase = snort_43270_rl1.u2 time_stamp = 1410818919 record_idx = 26
Sep 20 12:04:44 barnyard2[90144]: Barnyard2 initialization completed successfully (pid=90144)
Sep 20 12:04:44 SnortStartup[90747]: Snort START for Snort su LAN(23326_rl0)…
Sep 20 12:04:44 barnyard2[90144]: –== Initialization Complete ==--
Sep 20 12:04:44 barnyard2[90144]:
Sep 20 12:04:44 barnyard2[90144]: Writing PID "90144" to file "/var/run/barnyard2_rl143270.pid"
Sep 20 12:04:44 barnyard2[90144]: PID path stat checked out ok, PID path set to /var/run
Sep 20 12:04:44 barnyard2[90144]: Daemon initialized, signaled parent pid: 87874
Sep 20 12:04:44 barnyard2[87874]: Daemon parent exiting
Sep 20 12:04:44 barnyard2[87874]: Initializing daemon mode
Sep 20 12:04:44 barnyard2[87874]: Log directory = /var/log/snort/snort_rl143270
Sep 20 12:04:44 barnyard2[87874]: Barnyard2 spooler: Event cache size set to [8192]
Sep 20 12:04:44 barnyard2[87874]: –-------------------------- +[ Signature Suppress list ]+
Sep 20 12:04:44 barnyard2[87874]: +[No entry in Signature Suppress List]+
Sep 20 12:04:44 barnyard2[87874]: +[ Signature Suppress list ]+ –--------------------------
Sep 20 12:04:44 barnyard2[87874]: Found pid path directive (/var/run)
Sep 20 12:04:44 barnyard2[87874]: Parsing config file "/usr/pbi/snort-i386/etc/snort/snort_43270_rl1/barnyard2.conf"
Sep 20 12:04:44 barnyard2[87874]: Initializing Output Plugins!
Sep 20 12:04:44 barnyard2[87874]: Initializing Input Plugins!
Sep 20 12:04:44 barnyard2[87874]: –== Initializing Barnyard2 ==--
Sep 20 12:04:44 barnyard2[87874]:Quite strange!
-
If you use Barnyard2, maybe disable that Feature, and then do your Upgrade to see if you can atleast get it upgraded? Re-enable Barnyard after that?
-
If you use Barnyard2, maybe disable that Feature, and then do your Upgrade to see if you can atleast get it upgraded? Re-enable Barnyard after that?
Tried but same result:
Sep 22 10:03:03 kernel: pid 7377 (snort), uid 0: exited on signal 11
Sep 22 10:03:02 SnortStartup[7290]: Snort START for Snort su LAN(23326_rl0)…
Sep 22 10:03:01 kernel: pid 6966 (snort), uid 0: exited on signal 11
Sep 22 10:03:00 SnortStartup[6686]: Snort START for Snort su WAN(43270_rl1)…
Sep 22 09:45:54 check_reload_status: Reloading filter
Sep 22 09:45:39 kernel: pid 26501 (snort), uid 0: exited on signal 11
Sep 22 09:45:39 SnortStartup[26164]: Snort START for Snort su LAN(23326_rl0)…
Sep 22 09:45:39 php: /pkg_mgr_install.php: [Snort] Package post-installation tasks completed…
Sep 22 09:45:37 kernel: pid 24335 (snort), uid 0: exited on signal 11
Sep 22 09:45:37 SnortStartup[24035]: Snort START for Snort su WAN(43270_rl1)…
Sep 22 09:45:37 php: /pkg_mgr_install.php: [Snort] Starting Snort using rebuilt configuration…
Sep 22 09:45:37 php: /pkg_mgr_install.php: [Snort] Finished rebuilding installation from saved settings…I think that I need to purge the configuration... :'(
Thanks,
Stenio -
I think that I need to purge the configuration… :'(
Configuration purged and reinstalled. Now it works properly.
Thanks,
Stenio -
It happens every time now the rules get updated. After every update the unicode.map file is blank again. Found no solution so snort is nearly useless now.
I did a complete reinstall of pfsense and snort. I can't even start snort the first time… all i get is the FATAL ERROR.
Something seems really f***** up with Netgate APU & pfsense 2.1.5 & snort. I never had any problems before pfsense 2.1.5. Even on the older Netgate m1n1wall i had no problems for years.
So if a fresh install didn't fix the issue then it's really f***** up somewhere.
I will pass this along to the Netgate guys. One time in the past there was a temporary issue similar to this. Perhaps it has occurred again. BTW, if you have a support contract with Netgate, you could certainly contact them about your issue. That may be faster than my e-mail to them.
Bill
Yes i have a support contract with Netgate. I thought that this is related to just a package so they can't help anyway. But it seems that only Netgate APUs are affected so i contacted the support about the issue.
I will post the answer here is they are aware of it. Let me know what they told you.
I passed along a link to this thread and notified them some users were having issues and what I thought the issue might be. They acknowledged receipt and said they would look into it. I provided them my personal contact information if something else was needed from me or if it was later determined the problem was something I might need to fix within the Snort package.
Bill
I finally got an answer:
I see you purchased an APU with NanoBSD pfSense installed on an SD card. Snort and many other packages will not function on pfSense when installed on a SD card. A full installation of pfSense is required and to do so, pfSense must be installed on an SSD.
Your options are limited. If Snort is essential, you will need an mSATA SSD drive with pfSense installed. We could sell you an mSATA drive, preloaded with pfSense 2.1.5. Otherwise, you could reset your device to factory default settings and operate without Snort.
–--------------
That's it. Not really hepful because it worked fine prior to pfsense 2.1.5. So i guess it can't be fixed then.
-T5000
