Snort fails to start, error must enable 'extended_response_inspection'



  • Hi all,

    Snort has been refusing to start for me today, the relevant line from the log is this:

    snort[52143]: FATAL ERROR: /usr/local/etc/snort/snort_59221_fxp0/snort.conf(171) => Enable 'extended_response_inspection' inspection before setting 'inspect_gzip'

    Here is the HTTP section from /usr/local/etc/snort/snort.conf

    HTTP normalization and anomaly detection.  For more information, see README.http_inspect

    preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
    preprocessor http_inspect_server: server default
        chunk_length 500000
        server_flow_depth 0
        client_flow_depth 0
        post_depth 65495
    oversize_dir_length 500
        max_header_length 750
        max_headers 100
        ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 5250 7001 7777 7779 8000 8008 8028 8080 8088 8118 8123 8180 8181 8243 8280 8888 9090 9091 9443 9999 11371 }
        non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 }
        enable_cookie
        extended_response_inspection
        inspect_gzip
        normalize_utf
        unlimited_decompress
        apache_whitespace no
        ascii no
        bare_byte no
    directory no
    double_decode no
    iis_backslash no
    iis_delimiter no
    iis_unicode no
    multi_slash no
      utf_8 no
    u_encode yes
    webroot no

    So it appears it is listed, beyond that I don't know what to look for, I'm hoping someone can help me. Thanks in advance.

    pfSense info:

    2.0 Release AMD64
    Snort 2.9.0.5 pkg v. 2.0

    SNORT.ORG >>>  "d94dd7f6ecc5d2c4fb215ce35b717921"
    EMERGINGTHREATS.NET >>>  f05ecb736d02e8e415a2db4e93377df9
    PFSENSE.ORG >>>  "e8a95fd5f1b40e878fedeffd585134bb"



  • This issue as fixed yesterday by ermal, reinstall package.

    http://forum.pfsense.org/index.php/topic,37557.msg220087.html#msg220087



  • Thank you for that, it's working now.


Locked