Suricata core dumping after 2.4.5 upgrade
-
Thanks. I'm looking forward to learning more about IDS\IPS. Surricata seems pretty simple to setup until i ran into the issue. If you don't mind me asking are you doing to switch to another IDS\IPS solution?
-
@blaytrail said in Suricata core dumping after 2.4.5 upgrade:
Thanks. I'm looking forward to learning more about IDS\IPS. Surricata seems pretty simple to setup until i ran into the issue. If you don't mind me asking are you doing to switch to another IDS\IPS solution?
I am the developer/maintainer for Suricata and Snort on pfSense (volunteer, not paid or affiliated with Netgate). I started with Snort years ago and have never changed. Not because it is better or Suricata is worse, just lazy and didn't want to change out my production firewall.
So for now I'm running Snort on a Netgate SG-5100 appliance. Prior to that I ran it on custom-built hardware (mostly Supermicro 1U servers).
-
Cool! It must be fun to be the developer/maintainer for the applications. I really enjoy working with pfSense. I just setup the VPN and it works perfectly. I guess i can move up to the SG-5100. I want to set getting more familiar with IDS/IPS. I take it I will need to use something else beside the SG-1100 for IDS/IPS.
-
@blaytrail said in Suricata core dumping after 2.4.5 upgrade:
Cool! It must be fun to be the developer/maintainer for the applications. I really enjoy working with pfSense. I just setup the VPN and it works perfectly. I guess i can move up to the SG-5100. I want to set getting more familiar with IDS/IPS. I take it I will need to use something else beside the SG-1100 for IDS/IPS.
The SG-1100 is a good starter box for IDS/IPS, but to be honest the amount of RAM it has can limit it when it comes to a full-blown IDS/IPS setup. You would need to be a bit choosy about which rules, and how many in total, you enabled to control RAM usage.
The SG-5100 is more capable both in terms of CPU and RAM. Of course it costs quite a bit more. But I looked around and discovered that getting a chassis, motherboard, CPU, RAM and the other required bits totaled up to be at least as much as the SG-5100 (or so close it was really a wash).
-
I will order the SG-5100 appliance when i get paid next week. I don't mind spending the money for educational purposes. Thanks so much for your time this morning.
I have the instructions for setting up Suricata. Is there a good place to get basic instructions for setting up Snort?
-
@blaytrail said in Suricata core dumping after 2.4.5 upgrade:
I will order the SG-5100 appliance when i get paid next week. I don't mind spending the money for educational purposes. Thanks so much for your time this morning.
I have the instructions for setting up Suricata. Is there a good place to get basic instructions for setting up Snort?
There is a link in the offical Netgate documentation. Both packages work essentially the exact same way in terms of set up on pfSense. In fact, a large percentage of the PHP source is copy/paste with "Snort" changed to "Suricata". The Snort package existed first.
You should be able to run Snort currently on the SG-1100. I don't think it has the same compiler issue (but I'm not 100% positive).
Here is the link: https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html.
-
Excellent!
I just realize there is a separate snort package install on the SG-1100. I will get this setup this morning.
-
I am glad to know this is an existing bug. My SG-1000 upgrade to 2.4.5 failed and I had to restore the factory image from USB key. I just assumed my backup configuration was somehow corrupt and causing an issue.
Even after installing the factory image and Suricata package with minimal configuration Suricata would die after about 10 seconds. Only when I ran Suricata from the command line did I see it print "Illegal Instruction" to stderr when it crashed - it was not captured to the log file.
I installed Snort and it works just fine, but I miss Suricata and hope the upstream issue is corrected soon.
-
@sholekamp said in Suricata core dumping after 2.4.5 upgrade:
I am glad to know this is an existing bug. My SG-1000 upgrade to 2.4.5 failed and I had to restore the factory image from USB key. I just assumed my backup configuration was somehow corrupt and causing an issue.
Even after installing the factory image and Suricata package with minimal configuration Suricata would die after about 10 seconds. Only when I ran Suricata from the command line did I see it print "Illegal Instruction" to stderr when it crashed - it was not captured to the log file.
I installed Snort and it works just fine, but I miss Suricata and hope the upstream issue is corrected soon.
The Signal 4 code (which is the ILLEGAL INSTRUCTION error) is printed to the system log of pfSense by the operating system. The reason it is not printed to the Suricata log is that Suricata is the process executing the illegal instruction. As a result, the operating system immediately terminates the process and there is no "suricata" process to write anything to its log.
-
@bmeeks
That all makes sense. I missed the entries in the system log:
Apr 9 15:31:09 pfSense kernel: pid 51904 (suricata), jid 0, uid 0: exited on signal 4 (core dumped)Seeing "Illegal Instruction" printed to the terminal is what led me to this thread. In the end my SG-100 is back up and running and the problem has been identified. I will keep an eye out for a Suricata update. Thank you for the support.
*** UPDATE ***
For anyone that stumbles upon this thread, the issue has been corrected with pfSense 2.4.5-p1 released June 9, 2020. See the release notes: https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-p1-new-features-and-changes.htmlGreat work!