Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    pfSense-pkg-snort from 3.2.9.11 to 3.2.9.12. | Unable to open the IIS Unicode Map file

    IDS/IPS
    2
    6
    335
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      slu last edited by

      Snort does not start after upgrade on pfSense 2.4.5-p1:

      Jun 12 15:26:25 	snort 	34940 	FATAL ERROR: /usr/local/etc/snort/snort_45232_igb0/snort.conf(170) => Unable to open the IIS Unicode Map file '/usr/local/etc/snort/unicode.map'.

      Remove and install Snort again fix this issue.
      This is not the first time this happens during upgrade, any idea whats wrong?
      See this on two pfSense machines.

      pfSense Gold subscription

      1 Reply Last reply Reply Quote 0
      • bmeeks
        bmeeks last edited by bmeeks

        I put in a fix for that, but unfortunately it probably is not going to work for this particular upgrade because the "new" file that does not delete that unicode.map file is not present until AFTER this new Snort version is installed. There is a portion of the GUI code that "cleans up" a Snort package install when it is being removed to make sure no dangling directories and orphan files remain. That code was too aggressive during an upgrade as compared to a fresh install.

        The root issue is the pkg utility interface in pfSense that upgrades or installs packages does not tell the GUI code of the package what it is doing (upgrading an existing install or installing a brand new green-field setup), so the GUI code was making some incorrect assumptions when a user "upgrades" a package as opposed to deleting it and just installing again. The former was where the GUI code was being too agressive in cleaning up files. I changed that behavior, but as I said that new less aggressive file wasn't on your box until AFTER you updated.

        Removing Snort and installing it again has always worked as the file that is getting deleted (that unicode.map file) is put back during the installation of the binary.

        This bug also generally only bites folks who DO NOT run the Snort Subscriber Rules. If I am recalling correctly, that rules archive contains a copy of unicode.map that gets copied over during the rules download/update step.

        1 Reply Last reply Reply Quote 1
        • S
          slu last edited by

          Thanks for explain this issue.

          pfSense Gold subscription

          bmeeks 1 Reply Last reply Reply Quote 0
          • bmeeks
            bmeeks @slu last edited by

            @slu said in pfSense-pkg-snort from 3.2.9.11 to 3.2.9.12. | Unable to open the IIS Unicode Map file:

            Thanks for explain this issue.

            On your next package upgrade, this should not happen again. If it does, be sure to post and let me know.

            1 Reply Last reply Reply Quote 1
            • S
              slu last edited by

              Last update (pfSense-pkg-snort from 3.2.9.12 to 3.2.9.13.) was with no issue, thank you very much.

              pfSense Gold subscription

              bmeeks 1 Reply Last reply Reply Quote 0
              • bmeeks
                bmeeks @slu last edited by

                @slu said in pfSense-pkg-snort from 3.2.9.11 to 3.2.9.12. | Unable to open the IIS Unicode Map file:

                Last update (pfSense-pkg-snort from 3.2.9.12 to 3.2.9.13.) was with no issue, thank you very much.

                Good news! Thank you for the feedback.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post