Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module

    IDS/IPS
    15
    82
    10.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks @NogBadTheBad
      last edited by bmeeks

      @NogBadTheBad said in Important Snort and Suricata Package Announcement -- probable bug in Legacy Blocking Module:

      Looks like its Hyperscan causing the issue.

      Agreed, but the additional details are what I needed to verify.

      It's important for Suricata users to understand there are two likely completely unrelated bugs impacting them. One was the Legacy Blocking Mode bug that also affected Snort. That bug is fixed as of version 7.0.2_1 of the Suricata package. It was nailed down to a problem in the libpfctl library distributed with pfSense.

      The potential HyperScan bug (that is still just a theoretical cause, but circumstantial evidence strongly points there) is a totally different thing unrelated to Legacy Blocking Mode. But users have intermixed the two bug reports in this thread about the common Legacy Blocking Mode problem that Snort and Suricata shared.

      So, that's why I asked the clarifying questions about Legacy Blocking Mode and turning off the Kill States option. I needed to verify which bug you were likely still seeing. I was pretty sure it was not the Legacy Blocking Mode bug, but just needed confirmation from you.

      If other Suricata users read this thread and find this reply, please determine which bug is currently impacting you: (1) the Legacy Blocking Mode bug, which so far as we know at this point is fixed; or (2) the HyperScan related bug which is not positively identified as reproducible and also not verified as fixed. You can immediately rule out anything related to Legacy Blocking Mode by simply turning off blocking and seeing if Suricata still experiences the crash. If it still crashes with Legacy Blocking Mode disabled, then the bug reported in this thread is not what you are experiencing.

      1 Reply Last reply Reply Quote 0
      • bmeeksB bmeeks locked this topic on
      • bmeeksB
        bmeeks
        last edited by

        Locking this thread for now as I am highly confident the original bug discussed here was fixed as of version 4.1.6_14 of the Snort package and version 7.0.2_1 of the Suricata package.

        If you are having Signal 11 or Signal 10 crashes with Suricata, please report those in this thread instead: https://forum.netgate.com/topic/184101/suricata-process-dying-due-to-hyperscan-problem.

        1 Reply Last reply Reply Quote 0
        • S SteveITS referenced this topic on
        • D dmds referenced this topic on
        • First post
          Last post