Snort (4.1.3_5) + SG-3100 (21.05-RELEASE (arm)) = exited on signal 10
-
Hello, we just bought an SG-3100 and installed snort on it to block attacks over the WAN.
Unfortunately snort exited on signal 10.
We tried Suricate but it also stops.Jun 15 14:31:08 kernel pid 10484 (snort), jid 0, uid 0: exited on signal 10.
Thanks for your help
-
There is a patch to fix the PHP crashing issue for signal 11 in multiple packages, but for signal 10 see https://forum.netgate.com/topic/161050/snort-won-t-start-after-upgrade-to-21-02-on-sg-3100/28.
What is the problem with Suricata?
-
@steveits
Patch already done 5 days ago, but snort stop after a few minutes.For SuricataI win reinstall it and told you the error.
-
@hichem said in Snort (4.1.3_5) + SG-3100 (21.05-RELEASE (arm)) = exited on signal 10:
@steveits
Patch already done 5 days ago, but snort stop after a few minutes.For SuricataI win reinstall it and told you the error.
Pay attention to the errors in the log. Signal 11 is a segmentation fault. That was happening from the PHP PCRE engine. The patch referenced earlier in this thread fixes that Signal 11 problem.
It does NOT fix the Signal 10 issue. That is caused by opcode choices made by the compiler for the 32-bit ARM processor used in the SG-3100 appliance. There is no easy fix for that. I've explained why in several other threads.
If running an IDS/IPS is important to you, then get off of ARM 32-bit hardware and move to either an Intel/AMD platform, or a 64-bit aarch64 platform. The Signal 10 error has been an issue with Snort (and sometimes Suricata) since the release of the 32-bit ARM hardware appliances. I've tried one patch in the past that consists of disabling compiler optimizations by essentially telling the llvm compiler to compile Snort with the debugging flags enabled. That appeared to have worked for a while, especially under FreeBSD-11 (which the 2.4.5 branch of pfSense used). It appears that as of FreeBSD-12 (which the new 2.5.x branch and higher of pfSense is using), that old debugging compiler flag may no longer be effective.