Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module
-
@bmeeks Add me to the list of 2.7.0 CE (just downgraded from Plus on Oct 31st) using Snort legacy mode and seeing core dumps. Mine all seems to occur just after a rules update when Snort is restarted, Does not occur with each rules update and restart though. Has occurred 3 times since Nov 1st.
-
@bmeeks said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:
Give it some running time. The fault is not always instantaneous for other users. Some are seeing up to 30 minutes of runtime before a fault.
Still nothing to report here for Suricata.
-
@Bob-Dig You're running In-line mode aren't you ?
-
@NogBadTheBad No, legacy.
-
B bmeeks referenced this topic on
-
Update -- I was finally able to experience the Signal 11 core dump on my CE 2.7.0-RELEASE testing machine. It took about an hour for the event to trigger. Seemed to happen when it attempted to kill open states.
I am now building a debug-enabled version of Snort for further testing to see if I can trigger the fault again. Having a debug-enabled version will help track down what's happening. Since the fault happens randomly, this may take a bit to work out.
-
@bmeeks Just another Datapoint regarding Suricata. I let it run over two hours on my VPS with pfSense CE RC on WAN. Hundreds of blocks, still no problem.
-
@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:
@bmeeks Just another Datapoint regarding Suricata. I let it run over two hours on my VPS with pfSense CE RC on WAN. Hundreds of blocks, still no problem.
Is this with Kill States checked or unchecked on the INTERFACE SETTINGS tab?
-
@bmeeks Checked. The only thing of note, I block only for 15 mins, so right now there are "only" 33 blocks and no snort-rules.
suricata 7.0.2 -
@Bob-Dig Run it "infinete" and you will see :)
-
@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:
I block only for 15 mins, so right now there are "only" 33 blocks and no snort-rules.
suricata 7.0.2Run it over night, still no problem, will stop it now.
-
@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:
Run it over night, still no problem, will stop it now.
Probably, in your case, the second condition (kill states is the main one) is not occurring (considering Bill Meeks theory) so there is no crash ...
-
@fireodo My theory is, it is a snort problem, not suricata. Let's see.
-
@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:
@fireodo My theory is, it is a snort problem, not suricata. Let's see.
-
don't see such an issue on my two 2.7.0 CE boxes:
2.7.0 CE
Snort 4.1.6_13
Legacy Mode
Kill States enabled -
I have Suricata running in Legacy mode at two different sites, (2.7.0 and 23.09). Both with Kill States enabled and no problems whatsoever...
-
@slu Do you have actually blocks?
-
@Bob-Dig Yes I do, and I have the Remove Blocked Hosts Interval set to 1h but could change it to something higher if that would have an effect?
Up until a few days ago I have had the 23.09 site set up with Block on DROP Only NOT being checked. Meaning I had every single Alert resulting in a Block and basically having built up a Passlist that works for me. As a result I would usually see quite a long list in the Blocks tab. Most of them ET INFO actually, but still blocks.
The 2.7.0 site is also set up this way, but it's for our vacation home so not much going on there at the moment. -
@Bob-Dig
good point, no, not at the moment. -
@slu said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:
@Bob-Dig
good point, no, not at the moment.
Ah, that was a question to you obviously... -
@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:
@slu Do you have actually blocks?
You are right, searching in the logs and found it:
Nov 15 06:47:55 kernel pid 44159 (snort), jid 0, uid 0: exited on signal 11 (core dumped)
