Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module

Bob.Dig · Nov 15, 2023, 3:37 PM

bmeeks · Nov 15, 2023, 4:53 PM

Update -- I was finally able to experience the Signal 11 core dump on my CE 2.7.0-RELEASE testing machine. It took about an hour for the event to trigger. Seemed to happen when it attempted to kill open states.

I am now building a debug-enabled version of Snort for further testing to see if I can trigger the fault again. Having a debug-enabled version will help track down what's happening. Since the fault happens randomly, this may take a bit to work out.

Bob.Dig · Nov 15, 2023, 8:22 PM

@bmeeks Just another Datapoint regarding Suricata. I let it run over two hours on my VPS with pfSense CE RC on WAN. Hundreds of blocks, still no problem.

bmeeks · Nov 15, 2023, 8:23 PM

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

@bmeeks Just another Datapoint regarding Suricata. I let it run over two hours on my VPS with pfSense CE RC on WAN. Hundreds of blocks, still no problem.

Is this with Kill States checked or unchecked on the INTERFACE SETTINGS tab?

Bob.Dig · Nov 15, 2023, 8:38 PM

@bmeeks Checked. The only thing of note, I block only for 15 mins, so right now there are "only" 33 blocks and no snort-rules.
suricata 7.0.2

Cool_Corona · Nov 15, 2023, 10:17 PM

@Bob-Dig Run it "infinete" and you will see :)

Bob.Dig · Nov 16, 2023, 8:39 AM

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

I block only for 15 mins, so right now there are "only" 33 blocks and no snort-rules.
suricata 7.0.2

Run it over night, still no problem, will stop it now.

fireodo · Nov 16, 2023, 9:31 AM

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

Run it over night, still no problem, will stop it now.

Probably, in your case, the second condition (kill states is the main one) is not occurring (considering Bill Meeks theory) so there is no crash ...

Bob.Dig · Nov 16, 2023, 9:33 AM

@fireodo My theory is, it is a snort problem, not suricata. Let's see.

fireodo · Nov 16, 2023, 9:38 AM

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

@fireodo My theory is, it is a snort problem, not suricata. Let's see.

slu · Nov 16, 2023, 9:43 AM

@bmeeks

don't see such an issue on my two 2.7.0 CE boxes:
2.7.0 CE
Snort 4.1.6_13
Legacy Mode
Kill States enabled

Gblenn · Nov 16, 2023, 10:29 AM

I have Suricata running in Legacy mode at two different sites, (2.7.0 and 23.09). Both with Kill States enabled and no problems whatsoever...

Bob.Dig · Nov 16, 2023, 10:36 AM

@slu Do you have actually blocks?

Gblenn · Nov 16, 2023, 10:44 AM

@Bob-Dig Yes I do, and I have the Remove Blocked Hosts Interval set to 1h but could change it to something higher if that would have an effect?
Up until a few days ago I have had the 23.09 site set up with Block on DROP Only NOT being checked. Meaning I had every single Alert resulting in a Block and basically having built up a Passlist that works for me. As a result I would usually see quite a long list in the Blocks tab. Most of them ET INFO actually, but still blocks.
The 2.7.0 site is also set up this way, but it's for our vacation home so not much going on there at the moment.

slu · Nov 16, 2023, 10:58 AM

@Bob-Dig
good point, no, not at the moment.

Gblenn · Nov 16, 2023, 11:00 AM

@slu said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

@Bob-Dig
good point, no, not at the moment.

Ah, that was a question to you obviously...

slu · Nov 16, 2023, 11:03 AM

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

@slu Do you have actually blocks?

You are right, searching in the logs and found it:

Nov 15 06:47:55 	kernel 		pid 44159 (snort), jid 0, uid 0: exited on signal 11 (core dumped)

Bob.Dig · Nov 16, 2023, 11:10 AM

@slu said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

You are right, searching in the logs and found it:

I didn't searched in the logs. I think, it will disable IPS on that interface and is easy to spot in the GUI? At least I hope.

johnpitton · Nov 16, 2023, 5:31 PM

I have a few Netgate 7100 units all running 23.09 with Snort VRT rules in legacy Blocking mode and Kill State enabled with 7 days blocking set.
They've been at this 23.09 ver for almost a week now and stable.
All of them have active blocks listed.
I checked and verified SNORT rulesets have been updating successfully.
I don't see in any of the logs any signal 11 core dumps logged.

bmeeks · Nov 16, 2023, 5:37 PM

@johnpitton said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

I have a few Netgate 7100 units all running 23.09 with Snort VRT rules in legacy Blocking mode and Kill State enabled with 7 days blocking set.
They've been at this 23.09 ver for almost a week now and stable.
All of them have active blocks listed.
I checked and verified SNORT rulesets have been updating successfully.
I don't see in any of the logs any signal 11 core dumps logged.

What version of the Snort package is installed on your box? Look under SYSTEM > PACKAGE MANAGER and post back the version shown there. There has been an issue with the package builder for 23.09, so my understanding is that some of the most recent package updates have not been deployed in that branch.