In the Snort installation directory folder etc, modify the file snort.conf
Find the following paragraph and give the full path of unicode.map in preprocessor http_inspect
# HTTP normalization and anomaly detection. For more information, see README.http_inspect
preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
preprocessor http_inspect_server: server default \
The modification is as follows:
preprocessor http_inspect: global iis_unicode_map G:\Programs\Snort2.9.18.1\Snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535
Note that the path must be represented by \. If / is used, the following error will be reported:
ERROR: ../etc/snort.conf(290) => Unable to open the IIS Unicode Map file './G:/Programs/Snort2.9.18.1/Snort/etc/unicode.map'.