Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort fatal error on start

    pfSense Packages
    9
    63
    13.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      @stenio:

      @stenio:

      Need to increase the /tmp filesystem size I think.

      Changed from the default 40MB to 80MB and now it seems to work.
      During the rules update the size went to 51MB!

      Glad you found it.  The rules update process downloads the rules tarball archives and then unpacks them in a directory under /tmp.  Once it finishes, it deletes the folder.  But if that directory fills up, then unpredictable stuff happens.

      Bill

      1 Reply Last reply Reply Quote 0
      • A
        amiracle
        last edited by

        I found that if you disable the HTTP Inspect component, that ignores the IIS Unicode map and starts Snort without issue.

        Here's how you disable it: Snort Interface -> Edit your Interface, (mine is named WAN)-> Select the <wan>Preprocs tab, navigate to the HTTP Inspect section and UNCHECK it. That will allow your snort IDS to start back up without issue.

        I'm running pfSense 2.1.5 with Snort 2.9.7.0 pkg v.3.2.1 on a 4GB CF Card.

        Additional Troubleshooting:
        I tried to just limit the webservers in the HTTP Inspect section to just inspect an Apache Web server, and ignore IIS completely.  That did not work and it just failed again, so I just disabled the HTTP inspect section entirely.

        Error Messages:
        After enabling Snort via the WebUI, I received the following error message -

        
Dec 21 23:29:57 my.pfsensefirewall.com Dec 21 23:30:00 snort[99416]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_xxxx_em0/snort.conf(166) => Did not find specified IIS Unicode codemap in the specified IIS Unicode Map file.

```</wan>
        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @amiracle:

          I found that if you disable the HTTP Inspect component, that ignores the IIS Unicode map and starts Snort without issue.

          Here's how you disable it: Snort Interface -> Edit your Interface, (mine is named WAN)-> Select the <wan>Preprocs tab, navigate to the HTTP Inspect section and UNCHECK it. That will allow your snort IDS to start back up without issue.

          I'm running pfSense 2.1.5 with Snort 2.9.7.0 pkg v.3.2.1 on a 4GB CF Card.

          Additional Troubleshooting:
          I tried to just limit the webservers in the HTTP Inspect section to just inspect an Apache Web server, and ignore IIS completely.  That did not work and it just failed again, so I just disabled the HTTP inspect section entirely.

          Error Messages:
          After enabling Snort via the WebUI, I received the following error message -

          
Dec 21 23:29:57 my.pfsensefirewall.com Dec 21 23:30:00 snort[99416]: FATAL ERROR: /usr/pbi/snort-amd64/etc/snort/snort_xxxx_em0/snort.conf(166) => Did not find specified IIS Unicode codemap in the specified IIS Unicode Map file.

```</wan>

          You are going to experience more issues with disabling the HTTP_INSPECT preprocessor.  Snort and Suricata are becoming too "big" to install and update reliably on Nano installs of pfSense.  I strongly encourage Snort and Suricata users to stick with full installs on either conventional hard disks or SSD.  Both packages need plenty of free disk space to work (and free RAM).

          Bill

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.