Snort + SG-3100 = exited on signal 10

Valiant

@bmeeks:

UPDATE

An SG-3100 box is graciously being loaned to me for testing, so I will see if I can fix up the Snort package so that it runs reliably on ARM hardware.  Give me a little time to get my environment set up and then do some investigation and testing.

Bill

Hi Bill,

Thanks, any progress on this ?. I dug up an old HP N40L Microserver, installed a NC360T dual NIC card and installed PFsense to compare to the Netgate. So far I have got good results with OpenVPN working nicely and Snort service running reliably with the same oinkcode and ruleset selected.

The N40L has an AMD Turion processor which seems compatible. Not sure which device has more grunt but so far its working ok for me. I do however want to retire this box and stick to the SG-3100 to save on power.

bmeeks

@Valiant:

@bmeeks:

UPDATE

An SG-3100 box is graciously being loaned to me for testing, so I will see if I can fix up the Snort package so that it runs reliably on ARM hardware.  Give me a little time to get my environment set up and then do some investigation and testing.

Bill

Hi Bill,

Thanks, any progress on this ?

Haven't found the offending code yet, but I do have the test/debugging environment set up.  It's weird.  When I run the standard Snort binary I get the crash pretty much immediately upon startup.  However, when I run a Snort binary compiled with debugging symbols it runs just fine and does not crash!  Scratching my head over this one …  ???.

Bill

stephenw10

Ouch! I hate that. Measuring a thing changes it's behaviour. Clearly some sort of quantum behaviour.  ;)

Steve

bmeeks

@stephenw10:

Ouch! I hate that. Measuring a thing changes it's behaviour. Clearly some sort of quantum behaviour.  ;)

Steve

Yep.  Turning on debugging symbols turns off all optimizations done by the compiler.  So at least there is a hint there that maybe something in the compiler optimizations are the cause.  In some subsequent runs I was able to produce a Signal 10 crash using the Snort binary with debug symbols … but only once so far.  The non-debugging version crashes every single time.

Bill

mcury

Hi, any luck on this matter?

Ive also bought the VRT ruleset, and my sg-3100 is still being being delivered, once it reaches me, Ill try to help too.

I read that the sg-3100 was tested by all means by Netgate before release, so I believe that they have tested snort.

The question is, which ruleset they have tested? Was VRT rules tested?

If they did test the VRT ruleset, we just need to compare the rules that we have now with the rules they tested to find the offensive code to the ARM.

obs: sorry for my english, it`s not my native language.

bmeeks

@mcury:

Hi, any luck on this matter?

Ive also bought the VRT ruleset, and my sg-3100 is still being being delivered, once it reaches me, Ill try to help too.

I read that the sg-3100 was tested by all means by Netgate before release, so I believe that they have tested snort.

The question is, which ruleset they have tested? Was VRT rules tested?

If they did test the VRT ruleset, we just need to compare the rules that we have now with the rules they tested to find the offensive code to the ARM.

obs: sorry for my english, it`s not my native language.

Working on it along with one of the pfSense kernel developers.  It's a complex problem, and there are several errors likely in the Snort binary's source code.  Some things were done in the code that are not good programming practice, but Intel processors hide the issue because they silently fix the problem.  ARM processors like the armv7 used in the SG-3100 do not silently fix the problem.  The issue is unaligned memory access done by portions of the Snort binary code.

We have been able to get Snort to run without the Signal 10 error, but it's not properly decoding some of the TCP packets.  It's messing up TCP sequence and ACK numbers for one thing.

Bill

skilbjo

Ah man, I knew it! I knew the problem while running on the SG-1000 was more complex than the device doesn't have the processing power for it… I mean, while that may be true, it wouldn't exit with a Signal 10 error on start up. Signal 10 (to me) indicates the ARM chip is running malformed instructions meant for an x86 target.

Good luck @bmeeks ! May the programming gods bless you on this one!

bmeeks

@skilbjo:

Ah man, I knew it! I knew the problem while running on the SG-1000 was more complex than the device doesn't have the processing power for it… I mean, while that may be true, it wouldn't exit with a Signal 10 error on start up. Signal 10 (to me) indicates the ARM chip is running malformed instructions meant for an x86 target.

Good luck @bmeeks ! May the programming gods bless you on this one!

Thanks!  This is a tough nut to crack.  It's not an illegal instruction that's causing the Signal 10 in this case.  Instead, it's a problem with something called unaligned memory access.  You can Google that term for details about what it is.  It's down all the way to the register level inside the CPU and how hardware memory access has to work.  The root cause is what many consider poor or bad form C language programming practice when using pointers to reference data in memory.  Intel x86 CPUs swallow these kinds of programmer issues and auto-correct them.  In the old days, before tons of CPU on-die cache memory and all the fancy instruction execution pipelines of modern CPUs, there was a peformance penalty each time the CPU "fixed up" a C programmer's mistake.  Not so much anymore, though.  Modern Intel CPUs just basically instantly fix-up the unaligned memory access and there is no perceivable performance penalty.  Thus there has not been a push to fix these problems in legacy C programming code.  However, other CPUs such as the armv7 used in the SG-3100 don't perform these auto-fixups by default.  So you get the errors.  The preferred fix is to find all the poor programming practices in the C code and fix them at the source.  That is easier to say that it is to actually do… :(.  We're still working on it.  The problems are within sections of the Snort binary and have nothing to do with the GUI package.

Bill

stephenw10

@bmeeks:

The preferred fix is to find all the poor programming practices in the C code and fix them at the source.  That is easier to say that it is to actually do… :(.

Wow, I feel that pain.  :-\

Sending you good vibes!  :)

Steve

psylenced

Just jumping into this thread to say that I have the same issue, and await a fix hopefully soon.

I originally thought I had misconfigured something.

RossCaryNC

OP Here.

Thank you guys for looking into this. I look forward to a fix.

-Ross

mcury

Hey guys, until we wait for the fix, you can use Suricata instead, not a complete replacement due to the lack of appid in my opnion, but it works.
The categories mentioned below worked fine.

The only category I got errors inside Suricata.log was from malware-cnc, so I've disabled it.

I'm currently using the VRT paid rules, with the following categories:

snort_blacklist.rules
snort_browser-chrome.rules
snort_browser-firefox.rules
snort_browser-plugins.rules
snort_file-multimedia.rules
snort_file-office.rules
snort_file-pdf.rules
snort_malware-backdoor.rules
snort_os-windows.rules

Disabled the stream-events rules due to huge false positives.
And a few of the decoder-events due to same reason.

If you guys have any doubts, just ask.

stephenw10

Hmm, interesting. Is Suricata still running OK for you?

I initially thought this also but found Suricata crashed out after some time. However I'm re-testing it now and it's still running….so far.

Steve

mcury

Yes, its working perfectly fine. Didnt have a single crash so far, running only on my LAN, IPS mode (blocking mode enabled), not inline, didn`t test this yet.

drewsaur

@stephenw10:

Hmm, interesting. Is Suricata still running OK for you?

I initially thought this also but found Suricata crashed out after some time. However I'm re-testing it now and it's still running….so far.

Steve

Are you running in inline mode or legacy mode? From what I can tell, inline mode isn't ready yet for the 3100 due to lack of driver support, which the team is working on.

stephenw10

Running in non-blocking mode currently. One step at a time  ;)

Previously it wasn't running at all from what I could see but now seems good at 24hrs+.

Steve

sean.allen

Just checking back in. Any movement getting snort fully functional on SG-3100/ARM? I'm really interested in the new app detection stuff, so running Suricata doesn't scratch the itch. Really happy with my SG-3100 so far (but for this). I'm happy to help test/troubleshoot if my rig can be of assistance.

From the thread, it looks non-trivial based on some old bad programming habits. Not sure how hard that is to track down and fix  :(

Thanks for any and all help!

Sean

bmeeks

@sean.allen:

Just checking back in. Any movement getting snort fully functional on SG-3100/ARM? I'm really interested in the new app detection stuff, so running Suricata doesn't scratch the itch. Really happy with my SG-3100 so far (but for this). I'm happy to help test/troubleshoot if my rig can be of assistance.

From the thread, it looks non-trivial based on some old bad programming habits. Not sure how hard that is to track down and fix  :(

Thanks for any and all help!

Sean

No firm progress yet.  I did manage to find where generally in the code it is failing (at least one point).  It appears to be in the loading of the Stream5 preprocessor.  Debugging this has proven challenging because when I build Snort with debugging enabled it does not crash!  It only crashes with debugging disabled.  Without the debugging symbols being enabled, troubleshooting the crash is very difficult.

I've not had much time to troubleshoot over the Christmas holidays.  Since those are winding down, I should have more time to devote to the troubleshooting task.  I have an SG-3100 appliance I am testing with.  It was generously provided by the pfSense team.

Bill

Maxburn

Ouch, I literally just bought one of these today because I wanted to get introduced to pfSense and things like Snort. Saw mention elsewhere it didn't work on the SG1000 but missed this about the SG3100. I'm subscribed and best of luck but I think I'm going to put in more research on Qotom.

bmeeks

@Maxburn:

Ouch, I literally just bought one of these today because I wanted to get introduced to pfSense and things like Snort. Saw mention elsewhere it didn't work on the SG1000 but missed this about the SG3100. I'm subscribed and best of luck but I think I'm going to put in more research on Qotom.

Reports from other SG-3100 users indicate Suricata works fine on the hardware.  Just use Suricata for now.  There is no meaningful security difference between it and Snort.  The only functional difference is Snort currently offers OpenAppID while Suricata does not, but then Suricata is multi-threaded and has Inline IPS Mode while Snort does not.

Bill