Snort + SG-3100 = exited on signal 10
-
Hi,
I'm new here and new to PFSense. I've also recently purchased the SG-3100 which is running nicely other than having this same Snort issue. My box is on 2.4.1 and the Snort package installed using the package manager is 3.2.9.5_3. I've only registered for the free rules.
Snort stops running almost immediately, logs show snort exited on signal 10, then promiscuous mode disabled.
-
Hi,
I'm new here and new to PFSense. I've also recently purchased the SG-3100 which is running nicely other than having this same Snort issue. My box is on 2.4.1 and the Snort package installed using the package manager is 3.2.9.5_3. I've only registered for the free rules.
Snort stops running almost immediately, logs show snort exited on signal 10, then promiscuous mode disabled.
After some Google research, I'm coming to believe Snort and the ARM architecture are currently incompatible. Snort rule sets contain a set of pre-compiled rules called the dynamic shared-object rules. Those are compiled for Intel CPU platforms currently and not ARM. When Snort tries to load and run those shared-object rules, it is generating the Signal 10 error. That error can mean a memory bus problem, but it also is related to code attempting to execute an illegal instruction. In the case of the SO rules, that would be the pre-compiled rule code attempting to execute an Intel CPU instruction on an ARM CPU. That's not going to come out well… ;).
Try running with the Shared Object rules disabled. You do this by making sure none of their categories are checked on the CATEGORIES tab. The Shared Object Rules have their own sub-section on that tab. Make sure none of those categories are checked, click the Save button and then attempt to start Snort on the interface.
Bill
-
Thanks for your help Bill. That news is a little disappointing if that's the case. Perhaps things may change in the future.
I am a newbie so I want to discount the possibility I may be doing something wrong in the setup. I cannot find a separate SO tab, however under the section 'Select the rulesets (Categories) Snort will load at startup', there is a middle column labelled 'Ruleset: Snort SO Rules', with nothing shown below - I assume that means there are no SO rules enabled (problem however still persists).
Thanks again.
-
Thanks for your help Bill. That news is a little disappointing if that's the case. Perhaps things may change in the future.
I am a newbie so I want to discount the possibility I may be doing something wrong in the setup. I cannot find a separate SO tab, however under the section 'Select the rulesets (Categories) Snort will load at startup', there is a middle column labelled 'Ruleset: Snort SO Rules', with nothing shown below - I assume that means there are no SO rules enabled.
Thanks again.
On the GLOBAL SETTINGS page, what rules do you have enabled for download? Do you have a Snort Oinkcode, or are you just using the Emerging Threats or GPLv2 Community Rules? If you don't have an Oinkcode for the Snort VRT rules, then you don't have shared-object rules as they only exist in the Snort VRT package (which you must register for at snort.org and get an Oinkcode for access).
The shared-object rules are definitely one place where ARM architecture can be incompatible with the Snort package, but it's not the only place. There may be some structure/byte alignment issues as well.
Bill
-
Hmm, I'm seeing that with only the GPL rules loaded. It does seem to stay up longer without any emerging rules loaded but still crashes out eventually.
Steve
-
Hmm, I'm seeing that with only the GPL rules loaded. It does seem to stay up longer without any emerging rules loaded but still crashes out eventually.
Steve
Thanks for the feedback. I still think there are some compiler optimizations that may be needed for packages created for the ARM-based systems. While the precompiled shared-object rules can certainly be a problem, I'm betting they are not the only issue here.
I've done some limited Google research on Snort and ARM architecture, but so far have not found a lot of useful information.
Bill
-
On the GLOBAL SETTINGS page, what rules do you have enabled for download? Do you have a Snort Oinkcode, or are you just using the Emerging Threats or GPLv2 Community Rules? If you don't have an Oinkcode for the Snort VRT rules, then you don't have shared-object rules as they only exist in the Snort VRT package (which you must register for at snort.org and get an Oinkcode for access).
The shared-object rules are definitely one place where ARM architecture can be incompatible with the Snort package, but it's not the only place. There may be some structure/byte alignment issues as well.
Bill
Yes I have an Oinkcode and enabled the VRT rules. I've also tried unchecking the VRT rules and selected only the GPLv2 community rules, and then only the emerging threats open rules. In all 3 cases I get the same result, the service stops immediately (one ruleset does not appear to keep the service running any longer than the other).
Jim
-
Question for you guys with SG-3100 systems: have you tried running Snort in pure IDS mode with blocking disabled? That would potentially help narrow down the problem.
I don't have an ARM system to test with, so troubleshooting/fixing this is going to be difficult for me.
Bill
-
Question for you guys with SG-3100 systems: have you tried running Snort in pure IDS mode with blocking disabled? That would potentially help narrow down the problem.
I don't have an ARM system to test with, so troubleshooting/fixing this is going to be difficult for me.
Bill
Good suggestion, I tried unchecking the 'block offenders' option under Settings>Alert Settings, I assume that puts it into IDS mode.
Same result however, service stops :(
-
Same here. I was running in non-blocking mode anyway.
My test box for this sees virtually no traffic to speak of unless I initiate it. Snort definitely remains running for far longer with only the GPL rules loaded.
Steve
-
My suspicion is the differences between ARM CPU architecture and Intel/AMD CPU architecture and instruction sets are the root cause here, and some sequence of steps during parsing of rules triggers the Signal 10. If you are familiar with C programming and have access to the Snort binary source code, you will see lots of #ifdef types of statements in the code to detect various environments and adjust for their peculiarities. These are mostly all related to compilation for different operating systems. Some detective work would be required to figure out what is needed to compile code reliably for an ARM system and add the appropriate #ifdef statements to bound the changes. A key step in doing that is having an ARM platform to test with. I don't have one, and to my knowledge I can't emulate one reliably in a VMware virtual machine either.
Bill
-
UPDATE
An SG-3100 box is graciously being loaned to me for testing, so I will see if I can fix up the Snort package so that it runs reliably on ARM hardware. Give me a little time to get my environment set up and then do some investigation and testing.
Bill
-
UPDATE
An SG-3100 box is graciously being loaned to me for testing, so I will see if I can fix up the Snort package so that it runs reliably on ARM hardware. Give me a little time to get my environment set up and then do some investigation and testing.
Bill
Hi Bill,
Thanks, any progress on this ?. I dug up an old HP N40L Microserver, installed a NC360T dual NIC card and installed PFsense to compare to the Netgate. So far I have got good results with OpenVPN working nicely and Snort service running reliably with the same oinkcode and ruleset selected.
The N40L has an AMD Turion processor which seems compatible. Not sure which device has more grunt but so far its working ok for me. I do however want to retire this box and stick to the SG-3100 to save on power.
-
UPDATE
An SG-3100 box is graciously being loaned to me for testing, so I will see if I can fix up the Snort package so that it runs reliably on ARM hardware. Give me a little time to get my environment set up and then do some investigation and testing.
Bill
Hi Bill,
Thanks, any progress on this ?
Haven't found the offending code yet, but I do have the test/debugging environment set up. It's weird. When I run the standard Snort binary I get the crash pretty much immediately upon startup. However, when I run a Snort binary compiled with debugging symbols it runs just fine and does not crash! Scratching my head over this one … ???.
Bill
-
Ouch! I hate that. Measuring a thing changes it's behaviour. Clearly some sort of quantum behaviour. ;)
Steve
-
Ouch! I hate that. Measuring a thing changes it's behaviour. Clearly some sort of quantum behaviour. ;)
Steve
Yep. Turning on debugging symbols turns off all optimizations done by the compiler. So at least there is a hint there that maybe something in the compiler optimizations are the cause. In some subsequent runs I was able to produce a Signal 10 crash using the Snort binary with debug symbols … but only once so far. The non-debugging version crashes every single time.
Bill
-
Hi, any luck on this matter?
I
ve also bought the VRT ruleset, and my sg-3100 is still being being delivered, once it reaches me, Ill try to help too.I read that the sg-3100 was tested by all means by Netgate before release, so I believe that they have tested snort.
The question is, which ruleset they have tested? Was VRT rules tested?
If they did test the VRT ruleset, we just need to compare the rules that we have now with the rules they tested to find the offensive code to the ARM.
obs: sorry for my english, it`s not my native language.
-
Hi, any luck on this matter?
I
ve also bought the VRT ruleset, and my sg-3100 is still being being delivered, once it reaches me, Ill try to help too.I read that the sg-3100 was tested by all means by Netgate before release, so I believe that they have tested snort.
The question is, which ruleset they have tested? Was VRT rules tested?
If they did test the VRT ruleset, we just need to compare the rules that we have now with the rules they tested to find the offensive code to the ARM.
obs: sorry for my english, it`s not my native language.
Working on it along with one of the pfSense kernel developers. It's a complex problem, and there are several errors likely in the Snort binary's source code. Some things were done in the code that are not good programming practice, but Intel processors hide the issue because they silently fix the problem. ARM processors like the armv7 used in the SG-3100 do not silently fix the problem. The issue is unaligned memory access done by portions of the Snort binary code.
We have been able to get Snort to run without the Signal 10 error, but it's not properly decoding some of the TCP packets. It's messing up TCP sequence and ACK numbers for one thing.
Bill
-
Ah man, I knew it! I knew the problem while running on the SG-1000 was more complex than the device doesn't have the processing power for it… I mean, while that may be true, it wouldn't exit with a Signal 10 error on start up. Signal 10 (to me) indicates the ARM chip is running malformed instructions meant for an x86 target.
Good luck @bmeeks ! May the programming gods bless you on this one!
-
Ah man, I knew it! I knew the problem while running on the SG-1000 was more complex than the device doesn't have the processing power for it… I mean, while that may be true, it wouldn't exit with a Signal 10 error on start up. Signal 10 (to me) indicates the ARM chip is running malformed instructions meant for an x86 target.
Good luck @bmeeks ! May the programming gods bless you on this one!
Thanks! This is a tough nut to crack. It's not an illegal instruction that's causing the Signal 10 in this case. Instead, it's a problem with something called unaligned memory access. You can Google that term for details about what it is. It's down all the way to the register level inside the CPU and how hardware memory access has to work. The root cause is what many consider poor or bad form C language programming practice when using pointers to reference data in memory. Intel x86 CPUs swallow these kinds of programmer issues and auto-correct them. In the old days, before tons of CPU on-die cache memory and all the fancy instruction execution pipelines of modern CPUs, there was a peformance penalty each time the CPU "fixed up" a C programmer's mistake. Not so much anymore, though. Modern Intel CPUs just basically instantly fix-up the unaligned memory access and there is no perceivable performance penalty. Thus there has not been a push to fix these problems in legacy C programming code. However, other CPUs such as the armv7 used in the SG-3100 don't perform these auto-fixups by default. So you get the errors. The preferred fix is to find all the poor programming practices in the C code and fix them at the source. That is easier to say that it is to actually do… :(. We're still working on it. The problems are within sections of the Snort binary and have nothing to do with the GUI package.
Bill
