Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module

NogBadTheBad

@bmeeks I wonder if this is my issue with suricata in legacy mode dumping core.

If I disable blocking it works fine.

Bob.Dig

Suricata-only-User here, so this is only Plus and not 2.7.1.RC? I see no problems on CE RC with Kill States active, after I had to reinstall Suricata though.
I had running Suricata on the new Plus for a short time. But I changed (back) my Switch to a combo 1G/10G one and with that, Suricata manged to block my local-IPs (again). So it must have working than. But with that I uninstalled Suricata (again).

bmeeks

@NogBadTheBad said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

@bmeeks I wonder if this is my issue with suricata in legacy mode dumping core.

If I disable blocking it works fine.

More specifically, what if you disable just the Kill States option under the Legacy Blocking Mode section on the INTERFACE SETTINGS tab? Enable Legacy Mode Blocking but uncheck the Kill States option. Save the change and restart Suricata.

Do that for me as an experiement. I'm trying to isolate and/or confirm if the issue is where I suspect. It is not a condition you want to run in permanently, though, as killing any open states for an offender's IP address is desirable.

Since I do not have a pfSense Plus test environment, I have not yet been able to reproduce these Signal 11 faults with either Suriata or Snort. I am in email communication with the Netgate kernel developer, and he is looking at the code changes he made earlier. His suspicion is-- like mine-- that there is a lurking issue in the new changes related to libpfctl revisions in FreeBSD itself.

bmeeks

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

Suricata-only-User here, so this is only Plus and not 2.7.1.RC?

For now, I think that is correct. I have only 2.7.0 CE Release that is fully operable in my test setups, and I cannot seem to reproduce the problem there. I have not yet upgraded that environment to 2.7.1-RC.

The vast majority (if not all) of the current reports seem to be coming from Plus users. But I'm still trying to get an accurate inventory of operating systems associated with the Signal 11 faults.

Bob.Dig

@bmeeks I will reinstall Suricata again here on plus because I ditched that switch in the meantime (again), one probe more, I will report what I find.

bmeeks

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

@bmeeks I will reinstall Suricata again here on plus because I ditched that switch in the meantime (again), one probe more, I will report what I find.

Just had a Snort user report he is seeing the Signal 11 fault and core dump on 2.7.0-RELEASE, so maybe it is more widespread. All the pfSense versions now have the same flavor of the custom blocking plugin, and nearly all of the code in that plugin is identical for both Snort and Suricata.

fireodo

@bmeeks said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

The vast majority (if not all) of the current reports seem to be coming from Plus users. But I'm still trying to get an accurate inventory of operating systems associated with the Signal 11 faults.

Hi, here pfsense CE 2.7.0 Snort 4.1.6_13 exit with signal 11 (coredumped).
When kill states are off - no crash.

bmeeks

@fireodo said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

Hi, here pfsense CE 2.7.0 Snort 4.1.6_13 exit with signal 11 (coredumped).
When kill states are off - no crash.

Thanks. So it is more widespread. I will feed this back to the Netgate kernel developer. We definitely found one typo in the new code, but does not seem it should be causing the Signal 11 fault.

NogBadTheBad

@bmeeks Suricata works fine with the kill states unticked.

bmeeks

@NogBadTheBad said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

@bmeeks Suricata works fine with the kill states unticked.

Thanks for that report. It seems to further confirm the problem is solely within the new "kill states" changes. That is where we are currently focusing our efforts this morning.

Bob.Dig

I have a block here (Kill States enabled), everything seems to be good, so maybe Suricata isn't affected. I don't use any snort rules though.

Spoiler

bmeeks

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

I have a block here (Kill States enabled), everything seems to be good, so maybe Suricata isn't affected. I don't use any snort rules though.

Give it some running time. The fault is not always instantaneous for other users. Some are seeing up to 30 minutes of runtime before a fault.

The specific rules (Snort VRT versus Emerging Threats or others) should not play any role here. The custom blocking plugin code is generally ignorant of the rule specifics. It is just concerned with pulling out the offending IP from the data passed by the main binary and then deciding whether to block the IP or not based on any configured pass list.

From evidence gathered thus far, the bug appears to need multiple factors to trigger. I say this because it does not seem to be reproducible with any degree of certainty.

InstanceExtension

@bmeeks Add me to the list of 2.7.0 CE (just downgraded from Plus on Oct 31st) using Snort legacy mode and seeing core dumps. Mine all seems to occur just after a rules update when Snort is restarted, Does not occur with each rules update and restart though. Has occurred 3 times since Nov 1st.

Bob.Dig

@bmeeks said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

Give it some running time. The fault is not always instantaneous for other users. Some are seeing up to 30 minutes of runtime before a fault.

Still nothing to report here for Suricata.

Spoiler

NogBadTheBad

@Bob-Dig You're running In-line mode aren't you ?

Bob.Dig

@NogBadTheBad No, legacy.

bmeeks

Update -- I was finally able to experience the Signal 11 core dump on my CE 2.7.0-RELEASE testing machine. It took about an hour for the event to trigger. Seemed to happen when it attempted to kill open states.

I am now building a debug-enabled version of Snort for further testing to see if I can trigger the fault again. Having a debug-enabled version will help track down what's happening. Since the fault happens randomly, this may take a bit to work out.

Bob.Dig

@bmeeks Just another Datapoint regarding Suricata. I let it run over two hours on my VPS with pfSense CE RC on WAN. Hundreds of blocks, still no problem.

bmeeks

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

@bmeeks Just another Datapoint regarding Suricata. I let it run over two hours on my VPS with pfSense CE RC on WAN. Hundreds of blocks, still no problem.

Is this with Kill States checked or unchecked on the INTERFACE SETTINGS tab?

Bob.Dig

@bmeeks Checked. The only thing of note, I block only for 15 mins, so right now there are "only" 33 blocks and no snort-rules.
suricata 7.0.2