Snort fatal error on start
-
Thats a REALLY weird answer since it worked on 2.1.4…..
Yes, it worked very well for months.
One thing that has slowly been changing is the growth in the number of rules as different exploits are handled by rules updates. The amount of free space required to unpack and install everything incrementally increases. Same goes for the binary parts of some packages (the PBI files). These must be downloaded, unzipped, and then installed. That takes additional disk space. Compared to a full SSD or HD install, there is not much space on CF (NanoBSD) installs due to the default partition layouts. What is happening, I think, is the package installer is running out of space and silently failing in a number of different ways depending on exactly where in the install process it runs out of disk space.
Bill
-
Today I found snort not running. If I start it I see:
Sep 29 15:50:28 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 39369 -D -q -l /var/log/snort/snort_rl139369 –pid-path /var/run --nolock-pidfile -G 39369 -c /usr/pbi/snort-i386/etc/snort/snort_39369_rl1/snort.conf -i rl1' returned exit code '1', the output was ''
Sep 29 15:50:28 snort[13094]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_39369_rl1/snort.conf(169) => Did not find specified IIS Unicode codemap in the specified IIS Unicode Map file.
Sep 29 15:50:27 php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(rl1)…It worked for a few days after a complete reinstall. I'm using nanobsd but I have 1.4 GB of free space:
$ df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ufs/pfsense0 1.8G 271M 1.4G 16% /
devfs 1.0k 1.0k 0B 100% /dev
/dev/ufs/cf 49M 5.2M 40M 11% /cf
/dev/md0 38M 2.2M 33M 6% /tmp
/dev/md1 57M 23M 30M 44% /var
devfs 1.0k 1.0k 0B 100% /var/dhcpd/devWhat can I do?
Thanks,
Stenio -
Today I found snort not running. If I start it I see:
Sep 29 15:50:28 php: /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 39369 -D -q -l /var/log/snort/snort_rl139369 –pid-path /var/run --nolock-pidfile -G 39369 -c /usr/pbi/snort-i386/etc/snort/snort_39369_rl1/snort.conf -i rl1' returned exit code '1', the output was ''
Sep 29 15:50:28 snort[13094]: FATAL ERROR: /usr/pbi/snort-i386/etc/snort/snort_39369_rl1/snort.conf(169) => Did not find specified IIS Unicode codemap in the specified IIS Unicode Map file.
Sep 29 15:50:27 php: /snort/snort_interfaces.php: [Snort] Snort START for WAN(rl1)…It worked for a few days after a complete reinstall. I'm using nanobsd but I have 1.4 GB of free space:
$ df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/ufs/pfsense0 1.8G 271M 1.4G 16% /
devfs 1.0k 1.0k 0B 100% /dev
/dev/ufs/cf 49M 5.2M 40M 11% /cf
/dev/md0 38M 2.2M 33M 6% /tmp
/dev/md1 57M 23M 30M 44% /var
devfs 1.0k 1.0k 0B 100% /var/dhcpd/devWhat can I do?
Thanks,
StenioWell, while I'm sure it's not what you want to hear, I would ditch Nano and go the full-install route on a hard disk (either SSD or conventional). I suspect that will end your problems. There are lots of users here running Snort on conventional full installs with no issues.
If you want to stay with Nano, then I suggest ditching the Snort package (and Suricata as well). I think you are going to face continual problems otherwise. What probably happened to you is an updated Snort VRT rules package downloaded, and due to the issues with Nano, did not unzip and install itself correctly. The unicode.map file is probably corrupted again.
Bill
-
Well, while I'm sure it's not what you want to hear, I would ditch Nano and go the full-install route on a hard disk (either SSD or conventional). I suspect that will end your problems. There are lots of users here running Snort on conventional full installs with no issues.
OUCH!!! :'(
-
Well, while I'm sure it's not what you want to hear, I would ditch Nano and go the full-install route on a hard disk (either SSD or conventional). I suspect that will end your problems. There are lots of users here running Snort on conventional full installs with no issues.
OUCH!!! :'(
Sorry… :'(.
However, I am willing to try some experimentation if you are game. Maybe we can make this work better. Send me a PM if you are willing to help test a little bit.
Bill
-
I think I got it:
Oct 1 00:03:39 php: snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: WAN …
Oct 1 00:03:31 kernel: pid 81598 (bsdtar), uid 0 inumber 1362 on /tmp: filesystem full
Oct 1 00:03:28 kernel: pid 9265 (php), uid 0 inumber 1361 on /tmp: filesystem full
Oct 1 00:03:28 kernel: pid 80954 (bsdtar), uid 0 inumber 1355 on /tmp: filesystem full
Oct 1 00:03:14 kernel: pid 80259 (bsdtar), uid 0 inumber 1380 on /tmp: filesystem full
Oct 1 00:02:59 kernel: pid 58582 (bsdtar), uid 0 inumber 1365 on /tmp: filesystem full
Oct 1 00:02:55 kernel: pid 58582 (bsdtar), uid 0 inumber 1365 on /tmp: filesystem full
Oct 1 00:02:55 kernel: pid 58582 (bsdtar), uid 0 inumber 1364 on /tmp: filesystem full
Oct 1 00:02:54 php: snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
Oct 1 00:02:46 php: snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz…Need to increase the /tmp filesystem size I think.
-
Need to increase the /tmp filesystem size I think.
Changed from the default 40MB to 80MB and now it seems to work.
During the rules update the size went to 51MB! -
Need to increase the /tmp filesystem size I think.
Changed from the default 40MB to 80MB and now it seems to work.
During the rules update the size went to 51MB!Glad you found it. The rules update process downloads the rules tarball archives and then unpacks them in a directory under /tmp. Once it finishes, it deletes the folder. But if that directory fills up, then unpredictable stuff happens.
Bill
-
I found that if you disable the HTTP Inspect component, that ignores the IIS Unicode map and starts Snort without issue.
Here's how you disable it: Snort Interface -> Edit your Interface, (mine is named WAN)-> Select the <wan>Preprocs tab, navigate to the HTTP Inspect section and UNCHECK it. That will allow your snort IDS to start back up without issue.
I'm running pfSense 2.1.5 with Snort 2.9.7.0 pkg v.3.2.1 on a 4GB CF Card.
Additional Troubleshooting:
I tried to just limit the webservers in the HTTP Inspect section to just inspect an Apache Web server, and ignore IIS completely. That did not work and it just failed again, so I just disabled the HTTP inspect section entirely.Error Messages:
After enabling Snort via the WebUI, I received the following error message -Dec 21 23:29:57 my.pfsensefirewall.com Dec 21 23:30:00 snort[99416]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_xxxx_em0/snort.conf(166) => Did not find specified IIS Unicode codemap in the specified IIS Unicode Map file. ```</wan> -
I found that if you disable the HTTP Inspect component, that ignores the IIS Unicode map and starts Snort without issue.
Here's how you disable it: Snort Interface -> Edit your Interface, (mine is named WAN)-> Select the <wan>Preprocs tab, navigate to the HTTP Inspect section and UNCHECK it. That will allow your snort IDS to start back up without issue.
I'm running pfSense 2.1.5 with Snort 2.9.7.0 pkg v.3.2.1 on a 4GB CF Card.
Additional Troubleshooting:
I tried to just limit the webservers in the HTTP Inspect section to just inspect an Apache Web server, and ignore IIS completely. That did not work and it just failed again, so I just disabled the HTTP inspect section entirely.Error Messages:
After enabling Snort via the WebUI, I received the following error message -Dec 21 23:29:57 my.pfsensefirewall.com Dec 21 23:30:00 snort[99416]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_xxxx_em0/snort.conf(166) => Did not find specified IIS Unicode codemap in the specified IIS Unicode Map file. ```</wan>You are going to experience more issues with disabling the HTTP_INSPECT preprocessor. Snort and Suricata are becoming too "big" to install and update reliably on Nano installs of pfSense. I strongly encourage Snort and Suricata users to stick with full installs on either conventional hard disks or SSD. Both packages need plenty of free disk space to work (and free RAM).
Bill
