Snort + SG-3100 = exited on signal 10

bmeeks

@atrotter01:

It looks like I am somehow getting a different binary.  I am running 2.4.2_1 of pfSense.

[2.4.2-RELEASE][admin@pfsense]/root: ls -lusr/local/bin/snort
-r-xr-xr-x  1 root  wheel  1377676 Jan 25 22:20 /usr/local/bin/snort
[2.4.2-RELEASE][admin@pfsense]/root: md5 /usr/local/bin/snort
MD5 (/usr/local/bin/snort) = 35d9aa2e1e46543242a4c404f015fc8d

Running snort –help gives me this version:

Version 2.9.11.1 GRE (Build 268) FreeBSD

Package manager shows 3.2.9.6 installed with snort-2.9.11.1.

Yes, your binary is different.  Let me investigate that and see what's going on.

Bill

bmeeks

OK, the binary that is installing is not correct.  I will need to get with the pfSense team to find out why.

In my case, because I had manually installed my "fixed" binary package during testing, when I removed the Snort package from my SG-3100 the actual binary was not getting deleted.  Thus even though I was removing the package and installing it fresh during subsequent testing today, my actual binary was not getting changed and my test version binary was being used again.  That's why it worked for me.  So the fix really works, but for some reason the build of the binary on the Netgate respository is not including my "fix".

EDIT UPDATE: found out after some investigation that one of my patch files got omitted when everything was cherry-picked into the Netgate/pfSense repository.  I've notified the pfSense team and they should get things squared away soon.  When I get confirmation of the fixed binary being posted, I will post a message to this thread.  SG-3100 users can then once again remove and reinstall the Snort package to get the fixed binary.

Sorry for the trouble …  ;).  I knew it was working on my end, so when I saw reports here to the contrary I was baffled at first.  Glad to figure out what actually happened.

Bill

atrotter01

@bmeeks:

OK, the binary that is installing is not correct.  I will need to get with the pfSense team to find out why.

In my case, because I had manually installed my "fixed" binary package during testing, when I removed the Snort package from my SG-3100 the actual binary was not getting deleted.  Thus even though I was removing the package and installing it fresh during subsequent testing today, my actual binary was not getting changed and my test version binary was being used again.  That's why it worked for me.  So the fix really works, but for some reason the build of the binary on the Netgate respository is not including my "fix".

EDIT UPDATE: found out after some investigation that one of my patch files got omitted when everything was cherry-picked into the Netgate/pfSense repository.  I've notified the pfSense team and they should get things squared away soon.  When I get confirmation of the fixed binary being posted, I will post a message to this thread.  SG-3100 users can then once again remove and reinstall the Snort package to get the fixed binary.

Sorry for the trouble …  ;).  I knew it was working on my end, so when I saw reports here to the contrary I was baffled at first.  Glad to figure out what actually happened.

Bill

Thanks for the update! I am glad it was something simple and not another issue!  :)

mcury

Patch is ready or not?

bmeeks

@mcury:

Patch is ready or not?

The patch has been ready since January 18th, but when my submitted files for the last Snort update got merged into the pfSense repository one of the patch files for the binary was accidentally omitted during the cherry pick process.  I notified the pfSense team this past Monday evening of the oversight and provided them another copy of the missing file.  The new package is not yet posted, though.

Bill

mcury

@bmeeks:

@mcury:

Patch is ready or not?

The patch has been ready since January 18th, but when my submitted files for the last Snort update got merged into the pfSense repository one of the patch files for the binary was accidentally omitted during the cherry pick process.  I notified the pfSense team this past Monday evening of the oversight and provided them another copy of the missing file.  The new package is not yet posted, though.

Bill

Thanks Bill, I almost installed the previous version, I`ll be waiting, thanks for everything.

Best regards,

ivor

It will be there soon, apologies for the wait!

bmeeks

The fix for Snort on SG-3100 and similar armv6/armv7 devices disables the clang compiler optimizations.  Those optimizations by the compiler generate some machine code sequences that lead to the SIGBUS crash.  So one of my patches goes into the configure script for the Snort binary.  When it detects the compilation target as ARM architecture, it turns off compiler optimizations.  When compiling for Intel/AMD architectures it leaves the compiler optimizations in place.  The file that patches the configure script to include this logic is what got accidentally omitted.

So the resulting fixed binary will be slightly larger in size and will not be quite as efficient as the optimized code, but at least it will run on ARM architecture.  The binary for Intel/AMD hardware is the same as it has always been.  The compiler optimizations will be there for the amd64 code base (Intel and AMD).

Bill

bmeeks

The updated binary for Snort on the SG-3100 has been posted.  This latest version (v2.9.11.1_1 for the binary and v3.2.9.6_1 for the GUI) works on armv7 hardware such as the SG-3100.

There are no changes in the latest update except for the fixed binary.

Bill

stephenw10

Tested and working here.

Thanks Bill.  :)

Steve

mcury

Thanks a lot for the hard work, it's working perfectly here.

RossCaryNC

@BMEEKS

You are amazing THANK YOU!!!!