SNORT: promiscuous mode disabled + promiscuous mode enabled error + exited on signal 11 (core dumped)
-
@bmeeks We are using pfSense CE 2.7.0-RELEASE.
-
@DD said in SNORT: promiscuous mode disabled + promiscuous mode enabled error + exited on signal 11 (core dumped):
@bmeeks We are using pfSense CE 2.7.0-RELEASE.
Hmm... okay. Was not expecting that because I have thus far been unable to reproduce the issue in my CE 2.7.0-RELEASE virtual machine. Obviously I need to try harder
.Thank you for the additional information.
-
@bmeeks If I enable "kill states", then Snort is working for sometime (sometime 5 minutes, sometime 2 minutes, sometime 30 minutes.....) a then it will stop. After start, it is working again for sometime. When I disabled kill states, snort is working without stoping.
-
@DD said in SNORT: promiscuous mode disabled + promiscuous mode enabled error + exited on signal 11 (core dumped):
@bmeeks If I enable "kill states", then Snort is working for sometime (sometime 5 minutes, sometime 2 minutes, sometime 30 minutes.....) a then it will stop. After start, it is working again for sometime. When I disabled kill states, snort is working without stoping.
Same here - i guess this fault is present only on very "busy" interfaces where frecvent "kill state" are necessary.
Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
pfsense 2.8.0 CE
Packages: Apcupsd, Cron, Iftop, Iperf, LCDproc, Nmap, pfBlockerNG, RRD_Summary, Shellcmd, Snort, Speedtest, System_Patches. -
@DD said in SNORT: promiscuous mode disabled + promiscuous mode enabled error + exited on signal 11 (core dumped):
@bmeeks If I enable "kill states", then Snort is working for sometime (sometime 5 minutes, sometime 2 minutes, sometime 30 minutes.....) a then it will stop. After start, it is working again for sometime. When I disabled kill states, snort is working without stoping.
Yes, that behavior correlates with the current theory of the bug. My suspicion is that when Snort blocks an IP and then attempts the follow-up action of clearing any open firewall states for that IP, it encounters the bug and crashes. But apparently this is not "always", because if it was "always and everytime", I could reproduce it easily and all users would be seeing the crash. So, something else is also likely at play. Still searching for the actual root cause. For example, it may be that two differnet events have to occur together to trigger the bug ???
-
@fireodo said in SNORT: promiscuous mode disabled + promiscuous mode enabled error + exited on signal 11 (core dumped):
Same here - i guess this fault is present only on very "busy" interfaces where frecvent "kill state" are necessary.
Yes, it does seem to require some extra "something" to trigger it because I have thus far not been successful. But my puny test environment with VMware Workstation virtual machines can't generate a ton of traffic.
-
@bmeeks Yes, because if I looking to alerts and blocked tab then alerts and blocked items are increasing and Snort is working ok. But after sometime snort will stop and log only one row: exited on signal 11 (core dumped).
-
Hey guys / gals / they / thems, etc...
I did the 2.7.1 update on one of the boxes I had this issue with > re-enabled kill states > haven't had a problem.
Did 2.7.1 resolve this SNORT issue is some magical way? I think SNORT is the same version but I didn't confirm this.
Many Thanks!
-
@wolfsden3 thereโs an update coming any time now, see https://forum.netgate.com/topic/184112/important-snort-and-suricata-package-announcement-probable-bug-in-legacy-blocking-module/
-
@wolfsden3 said in SNORT: promiscuous mode disabled + promiscuous mode enabled error + exited on signal 11 (core dumped):
Hey guys / gals / they / thems, etc...
I did the 2.7.1 update on one of the boxes I had this issue with > re-enabled kill states > haven't had a problem.
Did 2.7.1 resolve this SNORT issue is some magical way? I think SNORT is the same version but I didn't confirm this.
Many Thanks!
As @SteveITS mentioned in his response with this link:
There is a thread where I am posting updates. I will put them in the original post at the top of that thread.
