Snort + SG-3100 = exited on signal 10

rmcgheeonemissionsociety

I tried adjusting the STREAM5 settings.  Behavior of crash changed.  FATAL ERROR: /usr/local/etc/snort/snort_11522_mvneta0/rules/snort.rules(6083) Unknown rule option: 'stream_size'.

I should note that I have 2 interfaces setup.  I have a redundant WAN setup and am trying to set snort to monitor both of these.  mvneta2 is the WAN port.  mvneta0 is Opt1 which I have labeled WAN2.  Prior new package release WAN2 would run but WAN would not.  Now my behavior is the exact opposite.  WAN will run but WAN2 will not.  I did read the release notes.  I did a total uninstall of snort and reinstalled.

I am very disappointed with the SG3100.  I did not do my research good enough.  I have an SG2440 I set up at one of my sites that works great.  I went to buy another but it was end of sale.  I only bought this because the end of sale page for SG2440 showed this was the recommended replacement.  Guess I should have read a little deeper.  I will be contacting Netgate to see if we can get the money back.  Don't have a big network but need the redundant LAN as I am in Haiti and the internet here is not reliable so we have 2 providers.

atrotter01

This crash is likely related to having a rule enabled that needs the preprocessor.  I am able to get it to run but only with that option disabled and minimal rules enabled.

bmeeks

I just checked my test SG-3100 and Snort is still running with all of the "default enabled" preprocessors enabled.  In other words, an out-of-the-box install with several OpenAppID rule categories and the Snort Subscriber Rules "IPS Connectivity" policy enabled.

I have it running on the LAN of this test box and the WAN is not connected.  Basically I have the SG-3100 sitting on my LAN.  I am getting alerts for the HTTP_INSPECT stuff as I have no suppression list enabled.

Bill

atrotter01

Do you have any other packages, or anything else, setup on your test SG-3100?  There must be some difference between mine and your's that causes mine to crash.  Mine is used as my primary router, so I do have LAN and WAN configured. I also have many other packages installed.  If you have any other suggestions I am happy to try anything to get it working.

bmeeks

@atrotter01:

This crash is likely related to having a rule enabled that needs the preprocessor.  I am able to get it to run but only with that option disabled and minimal rules enabled.

Let's double-check the binary you have installed.  First, are you on an SG-3100 and is it running 2.4.2?

Do

ls -l /usr/local/bin/snort

and you should get a file size of 2112260.

Next, calculate the MD5 of the binary:

md5 /usr/local/bin/snort

you should get: ```
MD5 (snort) = d68fbb7e854e4ed7d16184c0a67d611b

Let me know what you have for these checks.

Bill

bmeeks

@atrotter01:

Do you have any other packages, or anything else, setup on your test SG-3100?  There must be some difference between mine and your's that causes mine to crash.  Mine is used as my primary router, so I do have LAN and WAN configured. I also have many other packages installed.  If you have any other suggestions I am happy to try anything to get it working.

Nope, no other packages.  Just Snort.  I was given this box to test with by the Netgate folks, and so I just stuck it on my network while I worked on getting Snort to run.

Bill

atrotter01

It looks like I am somehow getting a different binary.  I am running 2.4.2_1 of pfSense.

[2.4.2-RELEASE][admin@pfsense]/root: ls -lusr/local/bin/snort
-r-xr-xr-x  1 root  wheel  1377676 Jan 25 22:20 /usr/local/bin/snort
[2.4.2-RELEASE][admin@pfsense]/root: md5 /usr/local/bin/snort
MD5 (/usr/local/bin/snort) = 35d9aa2e1e46543242a4c404f015fc8d

Running snort –help gives me this version:

Version 2.9.11.1 GRE (Build 268) FreeBSD

Package manager shows 3.2.9.6 installed with snort-2.9.11.1.

bmeeks

@atrotter01:

It looks like I am somehow getting a different binary.  I am running 2.4.2_1 of pfSense.

[2.4.2-RELEASE][admin@pfsense]/root: ls -lusr/local/bin/snort
-r-xr-xr-x  1 root  wheel  1377676 Jan 25 22:20 /usr/local/bin/snort
[2.4.2-RELEASE][admin@pfsense]/root: md5 /usr/local/bin/snort
MD5 (/usr/local/bin/snort) = 35d9aa2e1e46543242a4c404f015fc8d

Running snort –help gives me this version:

Version 2.9.11.1 GRE (Build 268) FreeBSD

Package manager shows 3.2.9.6 installed with snort-2.9.11.1.

Yes, your binary is different.  Let me investigate that and see what's going on.

Bill

bmeeks

OK, the binary that is installing is not correct.  I will need to get with the pfSense team to find out why.

In my case, because I had manually installed my "fixed" binary package during testing, when I removed the Snort package from my SG-3100 the actual binary was not getting deleted.  Thus even though I was removing the package and installing it fresh during subsequent testing today, my actual binary was not getting changed and my test version binary was being used again.  That's why it worked for me.  So the fix really works, but for some reason the build of the binary on the Netgate respository is not including my "fix".

EDIT UPDATE: found out after some investigation that one of my patch files got omitted when everything was cherry-picked into the Netgate/pfSense repository.  I've notified the pfSense team and they should get things squared away soon.  When I get confirmation of the fixed binary being posted, I will post a message to this thread.  SG-3100 users can then once again remove and reinstall the Snort package to get the fixed binary.

Sorry for the trouble …  ;).  I knew it was working on my end, so when I saw reports here to the contrary I was baffled at first.  Glad to figure out what actually happened.

Bill

atrotter01

@bmeeks:

OK, the binary that is installing is not correct.  I will need to get with the pfSense team to find out why.

In my case, because I had manually installed my "fixed" binary package during testing, when I removed the Snort package from my SG-3100 the actual binary was not getting deleted.  Thus even though I was removing the package and installing it fresh during subsequent testing today, my actual binary was not getting changed and my test version binary was being used again.  That's why it worked for me.  So the fix really works, but for some reason the build of the binary on the Netgate respository is not including my "fix".

EDIT UPDATE: found out after some investigation that one of my patch files got omitted when everything was cherry-picked into the Netgate/pfSense repository.  I've notified the pfSense team and they should get things squared away soon.  When I get confirmation of the fixed binary being posted, I will post a message to this thread.  SG-3100 users can then once again remove and reinstall the Snort package to get the fixed binary.

Sorry for the trouble …  ;).  I knew it was working on my end, so when I saw reports here to the contrary I was baffled at first.  Glad to figure out what actually happened.

Bill

Thanks for the update! I am glad it was something simple and not another issue!  :)

mcury

Patch is ready or not?

bmeeks

@mcury:

Patch is ready or not?

The patch has been ready since January 18th, but when my submitted files for the last Snort update got merged into the pfSense repository one of the patch files for the binary was accidentally omitted during the cherry pick process.  I notified the pfSense team this past Monday evening of the oversight and provided them another copy of the missing file.  The new package is not yet posted, though.

Bill

mcury

@bmeeks:

@mcury:

Patch is ready or not?

The patch has been ready since January 18th, but when my submitted files for the last Snort update got merged into the pfSense repository one of the patch files for the binary was accidentally omitted during the cherry pick process.  I notified the pfSense team this past Monday evening of the oversight and provided them another copy of the missing file.  The new package is not yet posted, though.

Bill

Thanks Bill, I almost installed the previous version, I`ll be waiting, thanks for everything.

Best regards,

ivor

It will be there soon, apologies for the wait!

bmeeks

The fix for Snort on SG-3100 and similar armv6/armv7 devices disables the clang compiler optimizations.  Those optimizations by the compiler generate some machine code sequences that lead to the SIGBUS crash.  So one of my patches goes into the configure script for the Snort binary.  When it detects the compilation target as ARM architecture, it turns off compiler optimizations.  When compiling for Intel/AMD architectures it leaves the compiler optimizations in place.  The file that patches the configure script to include this logic is what got accidentally omitted.

So the resulting fixed binary will be slightly larger in size and will not be quite as efficient as the optimized code, but at least it will run on ARM architecture.  The binary for Intel/AMD hardware is the same as it has always been.  The compiler optimizations will be there for the amd64 code base (Intel and AMD).

Bill

bmeeks

The updated binary for Snort on the SG-3100 has been posted.  This latest version (v2.9.11.1_1 for the binary and v3.2.9.6_1 for the GUI) works on armv7 hardware such as the SG-3100.

There are no changes in the latest update except for the fixed binary.

Bill

stephenw10

Tested and working here.

Thanks Bill.  :)

Steve

mcury

Thanks a lot for the hard work, it's working perfectly here.

RossCaryNC

@BMEEKS

You are amazing THANK YOU!!!!