Snort + SG-3100 = exited on signal 10
-
Hey guys, until we wait for the fix, you can use Suricata instead, not a complete replacement due to the lack of appid in my opnion, but it works.
The categories mentioned below worked fine.The only category I got errors inside Suricata.log was from malware-cnc, so I've disabled it.
I'm currently using the VRT paid rules, with the following categories:
snort_blacklist.rules
snort_browser-chrome.rules
snort_browser-firefox.rules
snort_browser-plugins.rules
snort_file-multimedia.rules
snort_file-office.rules
snort_file-pdf.rules
snort_malware-backdoor.rules
snort_os-windows.rulesDisabled the stream-events rules due to huge false positives.
And a few of the decoder-events due to same reason.If you guys have any doubts, just ask.
-
Hmm, interesting. Is Suricata still running OK for you?
I initially thought this also but found Suricata crashed out after some time. However I'm re-testing it now and it's still running….so far.
Steve
-
Yes, it
s working perfectly fine. Didn
t have a single crash so far, running only on my LAN, IPS mode (blocking mode enabled), not inline, didn`t test this yet. -
Hmm, interesting. Is Suricata still running OK for you?
I initially thought this also but found Suricata crashed out after some time. However I'm re-testing it now and it's still running….so far.
Steve
Are you running in inline mode or legacy mode? From what I can tell, inline mode isn't ready yet for the 3100 due to lack of driver support, which the team is working on.
-
Running in non-blocking mode currently. One step at a time ;)
Previously it wasn't running at all from what I could see but now seems good at 24hrs+.
Steve
-
Just checking back in. Any movement getting snort fully functional on SG-3100/ARM? I'm really interested in the new app detection stuff, so running Suricata doesn't scratch the itch. Really happy with my SG-3100 so far (but for this). I'm happy to help test/troubleshoot if my rig can be of assistance.
From the thread, it looks non-trivial based on some old bad programming habits. Not sure how hard that is to track down and fix :(
Thanks for any and all help!
Sean
-
Just checking back in. Any movement getting snort fully functional on SG-3100/ARM? I'm really interested in the new app detection stuff, so running Suricata doesn't scratch the itch. Really happy with my SG-3100 so far (but for this). I'm happy to help test/troubleshoot if my rig can be of assistance.
From the thread, it looks non-trivial based on some old bad programming habits. Not sure how hard that is to track down and fix :(
Thanks for any and all help!
Sean
No firm progress yet. I did manage to find where generally in the code it is failing (at least one point). It appears to be in the loading of the Stream5 preprocessor. Debugging this has proven challenging because when I build Snort with debugging enabled it does not crash! It only crashes with debugging disabled. Without the debugging symbols being enabled, troubleshooting the crash is very difficult.
I've not had much time to troubleshoot over the Christmas holidays. Since those are winding down, I should have more time to devote to the troubleshooting task. I have an SG-3100 appliance I am testing with. It was generously provided by the pfSense team.
Bill
-
Ouch, I literally just bought one of these today because I wanted to get introduced to pfSense and things like Snort. Saw mention elsewhere it didn't work on the SG1000 but missed this about the SG3100. I'm subscribed and best of luck but I think I'm going to put in more research on Qotom.
-
Ouch, I literally just bought one of these today because I wanted to get introduced to pfSense and things like Snort. Saw mention elsewhere it didn't work on the SG1000 but missed this about the SG3100. I'm subscribed and best of luck but I think I'm going to put in more research on Qotom.
Reports from other SG-3100 users indicate Suricata works fine on the hardware. Just use Suricata for now. There is no meaningful security difference between it and Snort. The only functional difference is Snort currently offers OpenAppID while Suricata does not, but then Suricata is multi-threaded and has Inline IPS Mode while Snort does not.
Bill
-
Yes Suricata seems to run fine on the SG-3100.
The only issue with it I have seen is that the package does not survive a firmware update for some reason I've yet to determine. It requires un-installing and then re-installing (not just hitting the reinstall button) after updating.
Not a huge issue unless you're following development snapshots and updating everyday. Like me. ;)
Steve
-
Finally some progress on getting Snort to run on the SG-3100 and other Netgate hardware with the armv6/armv7 processors!
I have a Snort package in testing that runs successfully on an SG-3100. The fix involves turning off compiler optimizations for the armv7 CPU used in the SG-3100. That produces a less efficient machine code binary, but at least it runs. I am discussing options with the pfSense team to get their input on how they would like to proceed with this (meaning use the non-optimized binary package that will run, but a little bit slower than an optimized binary would; or investing time and energy to figure out exactly how to fix the optimization routines in the compiler used for armv6/armv7 packages or else alter all the places in the Snort source code where unaligned access can happen). The root cause is the compiler optimizations appear to replace some byte-oriented instructions with multi-byte equivalents to gain a little speed, but the multi-byte equivalents do not support unaligned memory access and thus cause the crash. The details get a bit geeky from there, but you can read all about unaligned memory access and how the different CPUs handle it using a Google search for "unaligned access".
Bill
-
Great news, thank you bmeeks!
-
The fix for Snort on the SG-3100 will be ready soon. It is part of these two Snort updates:
(1) Snort binary update – https://github.com/pfsense/FreeBSD-ports/pull/497
(2) Snort GUI update – https://github.com/pfsense/FreeBSD-ports/pull/496Look for these to appear in Package Manager sometime next week.
Bill
-
I upgraded to the new snort package released in pfSense package manager, 3.2.9.6. I am still seeing issues with crashing. I did a complete removal and reinstall.
Jan 29 16:59:31 kernel mvneta0: promiscuous mode disabled
Jan 29 16:59:31 kernel pid 84107 (snort), uid 0: exited on signal 10
Jan 29 16:58:44 snort 84107 Commencing packet processing (pid=84107) -
@Missionary:
I upgraded to the new snort package released in pfSense package manager, 3.2.9.6. I am still seeing issues with crashing. I did a complete removal and reinstall.
Jan 29 16:59:31 kernel mvneta0: promiscuous mode disabled
Jan 29 16:59:31 kernel pid 84107 (snort), uid 0: exited on signal 10
Jan 29 16:58:44 snort 84107 Commencing packet processing (pid=84107)Could you try going to the interface settings in Snort, then <interface>Preprocs, then under "Stream5 Target-Based Stream Reassembly", uncheck "Track and reassemble TCP sessions. Default is Checked.". Save this and see if the crashes stop… after some troubleshooting with mine this is the only way I could get it to start.</interface>
-
Did you read the release notes?
https://forum.pfsense.org/index.php?topic=143261.0
IMPORTANT INSTALLATION NOTICE
It is strongly recommended that you install this update by removing the Snort package and then installing it again instead of using the "upgrade" icon. This is because a couple of the files in the new update will be cached by the PHP process if you simply "upgrade" using the reinstall icon. The older version of the cached file will be used during the post-install steps and your rules may fail to update properly. If you remove the package completely and then install it again, there will be no cached files issue. So long as you have the "Save Settings" checkbox ticked on the GLOBAL SETTINGS tab, your Snort configuration will be retained when removing the package. That box is checked by default, but if you have ever unchecked it for some reason, be sure to check it before removing the package.If you read this warning afer you've already tried the reinstall icon, then simply manually update your rules on the UPDATES tab, start Snort if it failed to start after the upgrade, and you should be fine.
-
Yes, this is how I originally gave it a try. Now I've gone as far as uninstalling, completely removing the snort section from config.xml to make sure no settings could be carrying over, then reinstalling. I still experience crashing.
-
I tried adjusting the STREAM5 settings. Behavior of crash changed. FATAL ERROR: /usr/local/etc/snort/snort_11522_mvneta0/rules/snort.rules(6083) Unknown rule option: 'stream_size'.
I should note that I have 2 interfaces setup. I have a redundant WAN setup and am trying to set snort to monitor both of these. mvneta2 is the WAN port. mvneta0 is Opt1 which I have labeled WAN2. Prior new package release WAN2 would run but WAN would not. Now my behavior is the exact opposite. WAN will run but WAN2 will not. I did read the release notes. I did a total uninstall of snort and reinstalled.
I am very disappointed with the SG3100. I did not do my research good enough. I have an SG2440 I set up at one of my sites that works great. I went to buy another but it was end of sale. I only bought this because the end of sale page for SG2440 showed this was the recommended replacement. Guess I should have read a little deeper. I will be contacting Netgate to see if we can get the money back. Don't have a big network but need the redundant LAN as I am in Haiti and the internet here is not reliable so we have 2 providers.
-
This crash is likely related to having a rule enabled that needs the preprocessor. I am able to get it to run but only with that option disabled and minimal rules enabled.
-
I just checked my test SG-3100 and Snort is still running with all of the "default enabled" preprocessors enabled. In other words, an out-of-the-box install with several OpenAppID rule categories and the Snort Subscriber Rules "IPS Connectivity" policy enabled.
I have it running on the LAN of this test box and the WAN is not connected. Basically I have the SG-3100 sitting on my LAN. I am getting alerts for the HTTP_INSPECT stuff as I have no suppression list enabled.
Bill