Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module

bmeeks

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

I have a block here (Kill States enabled), everything seems to be good, so maybe Suricata isn't affected. I don't use any snort rules though.

Give it some running time. The fault is not always instantaneous for other users. Some are seeing up to 30 minutes of runtime before a fault.

The specific rules (Snort VRT versus Emerging Threats or others) should not play any role here. The custom blocking plugin code is generally ignorant of the rule specifics. It is just concerned with pulling out the offending IP from the data passed by the main binary and then deciding whether to block the IP or not based on any configured pass list.

From evidence gathered thus far, the bug appears to need multiple factors to trigger. I say this because it does not seem to be reproducible with any degree of certainty.

InstanceExtension

@bmeeks Add me to the list of 2.7.0 CE (just downgraded from Plus on Oct 31st) using Snort legacy mode and seeing core dumps. Mine all seems to occur just after a rules update when Snort is restarted, Does not occur with each rules update and restart though. Has occurred 3 times since Nov 1st.

Bob.Dig

@bmeeks said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

Give it some running time. The fault is not always instantaneous for other users. Some are seeing up to 30 minutes of runtime before a fault.

Still nothing to report here for Suricata.

NogBadTheBad

@Bob-Dig You're running In-line mode aren't you ?

Bob.Dig

@NogBadTheBad No, legacy.

bmeeks

Update -- I was finally able to experience the Signal 11 core dump on my CE 2.7.0-RELEASE testing machine. It took about an hour for the event to trigger. Seemed to happen when it attempted to kill open states.

I am now building a debug-enabled version of Snort for further testing to see if I can trigger the fault again. Having a debug-enabled version will help track down what's happening. Since the fault happens randomly, this may take a bit to work out.

Bob.Dig

@bmeeks Just another Datapoint regarding Suricata. I let it run over two hours on my VPS with pfSense CE RC on WAN. Hundreds of blocks, still no problem.

bmeeks

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

@bmeeks Just another Datapoint regarding Suricata. I let it run over two hours on my VPS with pfSense CE RC on WAN. Hundreds of blocks, still no problem.

Is this with Kill States checked or unchecked on the INTERFACE SETTINGS tab?

Bob.Dig

@bmeeks Checked. The only thing of note, I block only for 15 mins, so right now there are "only" 33 blocks and no snort-rules.
suricata 7.0.2

Cool_Corona

@Bob-Dig Run it "infinete" and you will see :)

Bob.Dig

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

I block only for 15 mins, so right now there are "only" 33 blocks and no snort-rules.
suricata 7.0.2

Run it over night, still no problem, will stop it now.

fireodo

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

Run it over night, still no problem, will stop it now.

Probably, in your case, the second condition (kill states is the main one) is not occurring (considering Bill Meeks theory) so there is no crash ...

Bob.Dig

@fireodo My theory is, it is a snort problem, not suricata. Let's see.

fireodo

@Bob-Dig said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

@fireodo My theory is, it is a snort problem, not suricata. Let's see.

slu

@bmeeks

don't see such an issue on my two 2.7.0 CE boxes:
2.7.0 CE
Snort 4.1.6_13
Legacy Mode
Kill States enabled

Gblenn

I have Suricata running in Legacy mode at two different sites, (2.7.0 and 23.09). Both with Kill States enabled and no problems whatsoever...

Bob.Dig

@slu Do you have actually blocks?

Gblenn

@Bob-Dig Yes I do, and I have the Remove Blocked Hosts Interval set to 1h but could change it to something higher if that would have an effect?
Up until a few days ago I have had the 23.09 site set up with Block on DROP Only NOT being checked. Meaning I had every single Alert resulting in a Block and basically having built up a Passlist that works for me. As a result I would usually see quite a long list in the Blocks tab. Most of them ET INFO actually, but still blocks.
The 2.7.0 site is also set up this way, but it's for our vacation home so not much going on there at the moment.

slu

@Bob-Dig
good point, no, not at the moment.

Gblenn

@slu said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

@Bob-Dig
good point, no, not at the moment.

Ah, that was a question to you obviously...