Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module

    Scheduled Pinned Locked Moved IDS/IPS
    82 Posts 15 Posters 16.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ
      JonathanLee
      last edited by

      I have 23.05.01 and with the old version of snort it works fine. When I stay at 23.05.01 and update snort the core dump bug starts.
      I run a sg-2100max. I sure you already have that info. I just didn't know if anyone has used it on 23.05.01 yet

      Make sure to upvote

      bmeeksB 1 Reply Last reply Reply Quote 0
      • G
        Gerard64 @bmeeks
        last edited by

        @bmeeks

        I upgrade to 2.7.1 this morning and Snort didn't stop anymore not once.
        So seams all is good again.

        Thank you man you are the best 👍

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @JonathanLee
          last edited by

          @JonathanLee said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

          I have 23.05.01 and with the old version of snort it works fine. When I stay at 23.05.01 and update snort the core dump bug starts.
          I run a sg-2100max. I sure you already have that info. I just didn't know if anyone has used it on 23.05.01 yet

          Anything earlier than 23.09 will have the defective libpfctl library version on it. If you update to a Snort package version after 4.1.6_9 you will hit the bug, because beginning with 4.1.6_11 the updated custom blocking module code that calls functions in the defective libpfctl library was included. Same thing applies to pfSense CE.

          JonathanLeeJ 1 Reply Last reply Reply Quote 2
          • JonathanLeeJ
            JonathanLee @bmeeks
            last edited by JonathanLee

            @bmeeks thanks for the reply. I can assure you I still see it, however much less than the new version of Snort. I am running the .11 and it does seem very stable without the core crashes. As soon as I update the snort package it crashes every couple mins when adjusting supress lists. After I downgraded I have no more logs for core dumps. I am stable with the version before it.

            I went back to the old version.
            Screenshot_20231118-194032.png

            The errors in logs are from when I had the updated snort.

            Screenshot_20231118-193018.png

            Make sure to upvote

            1 Reply Last reply Reply Quote 0
            • S SteveITS referenced this topic on
            • bmeeksB bmeeks referenced this topic on
            • JonathanLeeJ
              JonathanLee
              last edited by

              Will the update work on 23.05.01??

              Make sure to upvote

              bmeeksB S 2 Replies Last reply Reply Quote 0
              • bmeeksB
                bmeeks @JonathanLee
                last edited by bmeeks

                @JonathanLee said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

                Will the update work on 23.05.01??

                No. The kernel there does not contain some of the necessary functions. But there should not be a problem with the Snort version in 23.05.1. Everything there on the binary side is using the old code.

                The problem surfaced when Snort was updated to cope with changes that appeared in 23.09 Plus and 2.7.1 CE.

                1 Reply Last reply Reply Quote 1
                • S
                  SteveITS Galactic Empire @JonathanLee
                  last edited by

                  @JonathanLee said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

                  Will the update work on 23.05.01??

                  If you're on 23.05 don't install a package from 23.09...change your update branch to Previous Stable per my sig.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  S 1 Reply Last reply Reply Quote 1
                  • S
                    slu @SteveITS
                    last edited by

                    @bmeeks

                    I installed today 4.1.6_14 and there was also a libpfctl upgrade, do this version fix the issue?

                    [1/3] Fetching snort-2.9.20_7.pkg: .......... done
                    [2/3] Fetching pfSense-pkg-snort-4.1.6_14.pkg: .......... done
                    [3/3] Fetching libpfctl-0.8.pkg: . done
                    Checking integrity... done (0 conflicting)
                    [1/3] Installing libpfctl-0.8...
                    [1/3] Extracting libpfctl-0.8: ...... done
                    [2/3] Upgrading snort from 2.9.20_5 to 2.9.20_7...
                    [2/3] Extracting snort-2.9.20_7: .......... done
                    [3/3] Upgrading pfSense-pkg-snort from 4.1.6_13 to 4.1.6_14...
                    

                    pfSense Gold subscription

                    fireodoF bmeeksB 2 Replies Last reply Reply Quote 0
                    • fireodoF
                      fireodo @slu
                      last edited by

                      @slu said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:
                      @bmeeks

                      I installed today 4.1.6_14 and there was also a libpfctl upgrade

                      Here too 4.1.6_14 (under pfsense 2.7.1) - no issues so far ... keep observing.

                      Kettop Mi4300YL CPU: i5-4300Y @ 1.60GHz RAM: 8GB Ethernet Ports: 4
                      SSD: SanDisk pSSD-S2 16GB (ZFS) WiFi: WLE200NX
                      pfsense 2.8.0 CE
                      Packages: Apcupsd, Cron, Iftop, Iperf, LCDproc, Nmap, pfBlockerNG, RRD_Summary, Shellcmd, Snort, Speedtest, System_Patches.

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by bmeeks

                        Yes, the 4.1.6_14 version of the Snort package should correct the Signal 11 crashing issue when Kill States is enabled with Legacy Mode Blocking. There is also an update for Suricata to 7.0.2_1 that fixes the same problem in Suricata's Legacy Blocking Mode.

                        The developer working with me on this fix resides in Europe, and he merged the fixes during his working hours- some of which are still during my bedtime 🙂 here in the Eastern US. So, just now seeing the news.

                        S 1 Reply Last reply Reply Quote 2
                        • S
                          slu @bmeeks
                          last edited by

                          @bmeeks
                          so cool, thank you @bmeeks and Netgate.

                          Like the way to communicate here directly and open.

                          pfSense Gold subscription

                          1 Reply Last reply Reply Quote 1
                          • bmeeksB
                            bmeeks
                            last edited by

                            The 2.7.1 CE updates are in place and available to users. There is a problem with package builds in the 23.09 branch that is unrelated to the Snort and Suricata fixes. So, the updated packages are not yet showing up for Plus 23.09 users. The changes are in place in that repo, but for unrelated reasons package building is failing there. The Netgate guys are working on it.

                            JonathanLeeJ 1 Reply Last reply Reply Quote 3
                            • bmeeksB bmeeks referenced this topic on
                            • bmeeksB
                              bmeeks @slu
                              last edited by bmeeks

                              @slu said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

                              [1/3] Installing libpfctl-0.8...
                              [1/3] Extracting libpfctl-0.8: ...... done

                              These two lines are the actual fix for the problem. The libpfctl library that comes bundled with pfSense natively is version 0.4 and it has the bug. That buggy library is still there for now, but packages that need to do libpfctl things have been recompiled and instructed to use the package version of that library now stored in /usr/local/lib/ instead of the system-bundled version in /usr/lib/.

                              In the next release of pfSense (whenever that happens), the bundled library will be removed and ports recompiled to use only the package version of libpfctl. This will make any future updates to the library easier. Packages that need libfpctl functionality will automatically install that library package if it is not already present-- or update the installed version if necessary.

                              1 Reply Last reply Reply Quote 3
                              • JonathanLeeJ
                                JonathanLee @bmeeks
                                last edited by

                                @bmeeks when will 23.09 plus users get the update? Anytime soon or should users go back the their old boot environments?

                                Make sure to upvote

                                bmeeksB 1 Reply Last reply Reply Quote 0
                                • bmeeksB
                                  bmeeks @JonathanLee
                                  last edited by

                                  @JonathanLee said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

                                  @bmeeks when will 23.09 plus users get the update? Anytime soon or should users go back the their old boot environments?

                                  Whenever the 23.09 package builder server successfully builds all of the packages and copies them over to the 23.09 repo web server. I have no inside information on what's wrong. All I was told is that no packages are succesfully building on that infrastructure. right now.

                                  The 2.7.1 CE builders are working fine, so the Snort and Suricata updates are available there.

                                  In today's world, with all the encrypted traffic on networks, I would not consider the IDS/IPS important enough to warrant rolling back to 23.05.1. I would simply disable the IDS/IPS until the package update becomes available for 23.09.

                                  JonathanLeeJ 1 Reply Last reply Reply Quote 1
                                  • JonathanLeeJ
                                    JonathanLee @bmeeks
                                    last edited by

                                    @bmeeks thanks for the info. I personally see this package as a reason to roll back as it is a work horse for me. I'll have to roll back again.

                                    Make sure to upvote

                                    1 Reply Last reply Reply Quote 0
                                    • C
                                      computerhousecalls
                                      last edited by

                                      bmeeks Thank you so much for all of your hard work. I am able to finally provide an update to signal 11 snort issue. Pfsense 2.7.1 with snort 4.1.6_14 appears to now be working correctly. I have pushed all updates and package updates and so far for over 40mins the service has been running. Thanks again I hope you have a happy thanksgiving too.

                                      1 Reply Last reply Reply Quote 0
                                      • JonathanLeeJ
                                        JonathanLee
                                        last edited by

                                        🦃🦃🦃🦃🦃

                                        Make sure to upvote

                                        1 Reply Last reply Reply Quote 0
                                        • bmeeksB
                                          bmeeks
                                          last edited by bmeeks

                                          It's 7:06 PM US Eastern Time, and I just checked with my SG-5100 running Plus 23.09 and the updated Snort and Suricata packages are still not available. I had an earlier email communication from Netgate advising they were continuing work to resolve the 23.09 package builder problems. Their hope was to get things resolved today. Apparently that did not have happened (unless the packages build overnight).
                                          ~~
                                          Due the long Thanksgiving Holiday weekend here in the US, work on the problem will likely not resume until Monday, November 27th. pfSense Plus 23.09 users will have to be patient a little longer.

                                          Update: the new packages were built overnight. Updates are available now on pfSense 23.09 for both Snort and Suricata. This update should correct the Signal 11 crash when using Legacy Mode Blocking with Kill States enabled.

                                          It will NOT make any difference in Suricata if you are experiencing the HyperScan "Fatal: hyperscan returned error -1" problem.

                                          NogBadTheBadN 1 Reply Last reply Reply Quote 1
                                          • S sgnoc referenced this topic on
                                          • R
                                            ronv42
                                            last edited by ronv42

                                            I just checked this morning from my homelab's self-built protectli running 23.09 and there is a update. Happy Thanksgiving for those in the USA.

                                            5d312630-d584-497f-8b6d-4ad8f14f9a96-image.png

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.