Snort IPS 2.5.0-DEVELOPMENT (amd64) built on Thu Apr 30 17:02:06 EDT 2020 Snort 2.2.5_31

iqjet

Hi,
Snort in blocking Mode "Inline IPS" doesn't start. Error:
May 1 09:40:56 kernel 856.639268 [ 376] netmap_ioctl_legacy Minimum supported API is 14 (requested 12)
May 1 09:40:56 snort 47023 FATAL ERROR: Can't start DAQ (-1) - start_instance: Netmap registration for port netmap:igb1 failed: Invalid argument (22)!

When settining it to Legacy Mode, Snort starts.

bmeeks

@iqjet said in Snort IPS 2.5.0-DEVELOPMENT (amd64) built on Thu Apr 30 17:02:06 EDT 2020 Snort 2.2.5_31:

Hi,
Snort in blocking Mode "Inline IPS" doesn't start. Error:
May 1 09:40:56 kernel 856.639268 [ 376] netmap_ioctl_legacy Minimum supported API is 14 (requested 12)
May 1 09:40:56 snort 47023 FATAL ERROR: Can't start DAQ (-1) - start_instance: Netmap registration for port netmap:igb1 failed: Invalid argument (22)!

When settining it to Legacy Mode, Snort starts.

Thanks for the report. I am aware of this from another user's report as well. This is a consequence of the move to FreeBSD-12.1 for the pfSense-2.5 snapshots. It will take me a little while to get it straightened out. First step is I have to create a new FreeBSD-12.1 package builder.

Until I can get the change in netmap API straightened out, you can switch to Legacy Blocking as you have done since that does not use netmap.

Had a report that netmap is also broken now in Suricata on pfSense-2.5, so it is a global netmap thing with FreeBSD-12.1.

bmeeks

I have created a Redmine Bug Report to track this issue. Thank you for the report.

lugwitz

I'd like to chime in as I'm also experiencing this issue.

May 2 11:29:48 edge check_reload_status[387]: Syncing firewall
May 2 11:28:49 edge snort[18389]: FATAL ERROR: Can't start DAQ (-1) - start_instance: Netmap registration for port netmap:em0 failed: Invalid argument (22)!
May 2 11:28:49 edge snort[18389]: Decoding Ethernet
May 2 11:28:49 edge snort[18389]: Commencing packet processing (pid=18389)

bmeeks

I finally got my Poudriere FreeBSD 12.1 jails to finish building this afternoon. Took over 18 hours to build the pair! Now I will be able to do some test compilation to see what's up with both Snort and Suricata on FreeBSD 12.1-STABLE.

bmeeks

The following worked for me on my testing VM. Please try this and report back here on the results.

1. Remove the Snort package from your firewall using SYSTEM > PACKAGE MANAGER (just delete the package, you won't lose your settings).

2. Return to SYSTEM > PACKAGE MANAGER and use the Available Packages tab to locate Snort and install it again. Be sure and wait for the install to complete. You will see a green "success" progress bar when it is done.

See if that corrects the "no start" issue with Inline IPS Mode. Please report back here with your findings.

The steps above will force a new download and install of the libraries used by Snort. I think there were some inconsistencies that linger on upgraded machines when the switch from FreeBSD-12.0 to FreeBSD-12.1-STABLE happened.

Thanks!

iqjet

Thanks, after reboot snort comes up. Everything ok.

bmeeks

@iqjet said in Snort IPS 2.5.0-DEVELOPMENT (amd64) built on Thu Apr 30 17:02:06 EDT 2020 Snort 2.2.5_31:

Thanks, after reboot snort comes up. Everything ok.

Thank you for the feedback. I discovered on my testing VM that there is really nothing wrong with the package itself. The problem is the snapshot update in pfSense-2.5 that upgraded FreeBSD from 12.0-RELEASE to 12.1-STABLE does not necessarily update all of the shared libraries used by packages. Removing a package and then installing it again forces the new copies of the shared libraries to be installed. Simply clicking the "reinstall" icon unfortunately will not always force a download of new packages if pkg is confused and thinks the correct versions are already present.

jimp

When in doubt, you can run pkg upgrade -f which will force a reinstall of every package.

bmeeks

@jimp said in Snort IPS 2.5.0-DEVELOPMENT (amd64) built on Thu Apr 30 17:02:06 EDT 2020 Snort 2.2.5_31:

When in doubt, you can run pkg upgrade -f which will force a reinstall of every package.

And to further amplify what @jimp is saying --

Further research (after my post above from three days earlier) indicated that what actually was not updated by the upgrade from FreeBSD-12.0 to FreeBSD-12.1 was the snort or suricata binary itself. I'm guessing that because the "version" of the binary was not changed between the two FreeBSD updates, pkg thought it was good to go. But in fact there are differences in the netmap device API between FreeBSD-12.0 and 12.1, and those differences are accounted for by recompiling the binary package in the new OS. Executing the command @jimp shared will forcibly reinstall all the packages and thus make sure that the versions compiled under FreeBSD-12.1-STABLE are pulled down and installed.

It's also possible the same type of thing could happen to other dependent libraries during the OS version upgrade.

NollipfSense

@bmeeks It would be great to compile FreeBSD 12.1 with all the latest NIC drivers.

iqjet

Sorry, I don't intend to hijack this threat, but.. A admin moved my thread from IDS to Development.
I'm not a expert, but I think there is like bmeeks expressed something fishy with netmap and/or Nic drivers. I wrote my experience with a Wireguard Client on Linux Mint on this threat.
https://forum.netgate.com/topic/153255/bug-2-5-0-development-amd64-built-on-sun-may-03-23-56-0-snort-2-9-16-inline-ips-throttles-wireguard-speed.

I noticed a significant speed drop with WG in March as I changed snort IPS to inline IPS mode. Since I changed back to Legacy Mode my speed is back. Everything OK.

I have setup a ovpn client to Mullvad, my speed is > 350Mbit/s regardless if on Legacy or IPS Mode, with my ISP regardless IPS/Legacy Mode ~ 950Mbit/s. When using WG on a Client PC speed in IPS Mode throttles down ~ 70Mbit/s in Legacy ~ 830MBit/s.

Remark: IPS Mode never created problems between March when first time used and changed back to Legacy in 5th of May, no crash or what ever.