The pfSense Store

Author Topic: Snort + SG-3100 = exited on signal 10  (Read 1007 times)

0 Members and 1 Guest are viewing this topic.

Offline RossCaryNC

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Snort + SG-3100 = exited on signal 10
« on: November 02, 2017, 08:59:00 am »
So this may be a possible issue with the brand new SG-3100. I have not done exhaustive troubleshooting YET but this is what I know at this time:

Situation:

  • Brand new SG-3100. Just received and installed November 1, 2017. Pre-order, so I have to imagine I am one of the first to see this issue.
  • Install Snort Package and follow directions here: https://doc.pfsense.org/index.php/Setup_Snort_Package
  • Pay for VRT rules. Snort 100% up to date. (I will update post with specific versions later but up to date as of November 2 1:00AM)
  • Assign WAN interface
  • Apply VRT "Connection" policy instead of choosing specific rules
  • Start Snort
  • Snort errors near immediately with "exited on signal 10" into "exiting promiscuous mode"


What I have noticed thus far:
  • Removing all rules allows snort to continue working (makes me think class issue)
  • PreProcessor rules lack class on many of the default rules ;D
  • Signal 11 is for classification issues. I am getting signal 10. No custom rules installed. Only snort VRT
  • Signal 10 says "According to the FreeBSD docs, Signal 10 is a memory bus error" (TY @bmeeks https://forum.pfsense.org/index.php?topic=138813.0)
  • Re-install and re-configures have no effect

Food for thought from/for the Admins:

On Oct 22 (a week ago) IVOR posted in regards to running snort on the SG-1000 - "No, it's (snort) not enough powerful to run on SG-1000. We added Snort to ARM packages because of SG-3100". This makes me think that there is a bug and this is not something I am doing wrong. I also do not believe that the instructions are missing a step (particularly that you would need to fix classifications on baseline rules) before anything will work.

My PFSense T-Shoot skills are meh but I am more than willing to dump any logs or configs. Just let me know what you guys think. /Ross



 


Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 611
  • Karma: +135/-125
    • View Profile
    • Netgate
Re: Snort + SG-3100 = exited on signal 10
« Reply #1 on: November 02, 2017, 09:20:36 am »
Makes me believe you're having issues with the latest ruleset. Also, those log entries you wrote are not nearly enough of information. Snort should write an actual error if it's having one. Try using community ruleset (built in) instead of paid ones for a test.

Also, enable "Startup/Shutdown Logging" under Snort Global Settings to see more detailed log.
Need help fast? Commercial support: https://www.netgate.com/support/

Offline RossCaryNC

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #2 on: November 02, 2017, 09:34:45 am »
Thank you IVOR. I am at work now but will post better error information as soon as I am home.

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #3 on: November 02, 2017, 11:20:25 am »
Hmm, I'm also seeing that same issue. Only loading GPL and ET rules. Running a 2.4.2a snapshot.

Snort is not logging anything particularly useful. I'm digging further.

Suricata appears to run just fine though, so that's an option in the mean time.

Steve

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3159
  • Karma: +818/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #4 on: November 02, 2017, 03:31:59 pm »
The SG-3100 uses an ARM CPU  I think Signal 10 can also be wrapped up in illegal instruction problem as well.  One thing Snort has are those precompiled shared-object rules.  They are in binary form.  They may not work on ARM platforms, but I'm not sure.  But they are generally only present and loaded when using the actual VRT rules.  They are not in the ET Open or Community rules, so if using just those rules I would think the SO rules can be ruled out (no pun intended).

EDIT:  A Google search found this thread about Shared Object rules and ARM -- http://seclists.org/snort/2013/q2/1219

There is a command-line switch for recompile the shared-object rules.  Don't know if that would work or not.

Bill
« Last Edit: November 02, 2017, 03:35:30 pm by bmeeks »

Offline Valiant

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #5 on: November 04, 2017, 05:26:15 am »
Hi,

I'm new here and new to PFSense. I've also recently purchased the SG-3100 which is running nicely other than having this same Snort issue. My box is on 2.4.1 and the Snort package installed using the package manager is 3.2.9.5_3. I've only registered for the free rules.

Snort stops running almost immediately, logs show snort exited on signal 10, then promiscuous mode disabled.



Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3159
  • Karma: +818/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #6 on: November 04, 2017, 08:17:50 am »
Hi,

I'm new here and new to PFSense. I've also recently purchased the SG-3100 which is running nicely other than having this same Snort issue. My box is on 2.4.1 and the Snort package installed using the package manager is 3.2.9.5_3. I've only registered for the free rules.

Snort stops running almost immediately, logs show snort exited on signal 10, then promiscuous mode disabled.

After some Google research, I'm coming to believe Snort and the ARM architecture are currently incompatible.  Snort rule sets contain a set of pre-compiled rules called the dynamic shared-object rules.  Those are compiled for Intel CPU platforms currently and not ARM.  When Snort tries to load and run those shared-object rules, it is generating the Signal 10 error.  That error can mean a memory bus problem, but it also is related to code attempting to execute an illegal instruction.  In the case of the SO rules, that would be the pre-compiled rule code attempting to execute an Intel CPU instruction on an ARM CPU.  That's not going to come out well... ;).

Try running with the Shared Object rules disabled.  You do this by making sure none of their categories are checked on the CATEGORIES tab.  The Shared Object Rules have their own sub-section on that tab.  Make sure none of those categories are checked, click the Save button and then attempt to start Snort on the interface.

Bill
« Last Edit: November 04, 2017, 09:00:23 am by bmeeks »

Offline Valiant

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #7 on: November 05, 2017, 07:09:27 am »
Thanks for your help Bill. That news is a little disappointing if that's the case. Perhaps things may change in the future.

I am a newbie so I want to discount the possibility I may be doing something wrong in the setup. I cannot find a separate SO tab, however under the section 'Select the rulesets (Categories) Snort will load at startup', there is a middle column labelled 'Ruleset: Snort SO Rules', with nothing shown below - I assume that means there are no SO rules enabled (problem however still persists).

Thanks again.
« Last Edit: November 05, 2017, 07:24:17 am by Valiant »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3159
  • Karma: +818/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #8 on: November 05, 2017, 07:27:14 am »
Thanks for your help Bill. That news is a little disappointing if that's the case. Perhaps things may change in the future.

I am a newbie so I want to discount the possibility I may be doing something wrong in the setup. I cannot find a separate SO tab, however under the section 'Select the rulesets (Categories) Snort will load at startup', there is a middle column labelled 'Ruleset: Snort SO Rules', with nothing shown below - I assume that means there are no SO rules enabled.

Thanks again.

On the GLOBAL SETTINGS page, what rules do you have enabled for download?  Do you have a Snort Oinkcode, or are you just using the Emerging Threats or GPLv2 Community Rules?  If you don't have an Oinkcode for the Snort VRT rules, then you don't have shared-object rules as they only exist in the Snort VRT package (which you must register for at snort.org and get an Oinkcode for access).

The shared-object rules are definitely one place where ARM architecture can be incompatible with the Snort package, but it's not the only place.  There may be some structure/byte alignment issues as well.

Bill

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #9 on: November 05, 2017, 11:23:29 am »
Hmm, I'm seeing that with only the GPL rules loaded. It does seem to stay up longer without any emerging rules loaded but still crashes out eventually.

Steve

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3159
  • Karma: +818/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #10 on: November 05, 2017, 12:38:53 pm »
Hmm, I'm seeing that with only the GPL rules loaded. It does seem to stay up longer without any emerging rules loaded but still crashes out eventually.

Steve

Thanks for the feedback.  I still think there are some compiler optimizations that may be needed for packages created for the ARM-based systems.  While the precompiled shared-object rules can certainly be a problem, I'm betting they are not the only issue here.

I've done some limited Google research on Snort and ARM architecture, but so far have not found a lot of useful information.

Bill

Offline Valiant

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #11 on: November 05, 2017, 09:43:19 pm »
Quote
On the GLOBAL SETTINGS page, what rules do you have enabled for download?  Do you have a Snort Oinkcode, or are you just using the Emerging Threats or GPLv2 Community Rules?  If you don't have an Oinkcode for the Snort VRT rules, then you don't have shared-object rules as they only exist in the Snort VRT package (which you must register for at snort.org and get an Oinkcode for access).

The shared-object rules are definitely one place where ARM architecture can be incompatible with the Snort package, but it's not the only place.  There may be some structure/byte alignment issues as well.

Bill


Yes I have an Oinkcode and enabled the VRT rules. I've also tried unchecking the VRT rules and selected only the GPLv2 community rules, and then only the emerging threats open rules. In all 3 cases I get the same result, the service stops immediately (one ruleset does not appear to keep the service running any longer than the other).


Jim

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3159
  • Karma: +818/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #12 on: November 05, 2017, 10:15:46 pm »
Question for you guys with SG-3100 systems:  have you tried running Snort in pure IDS mode with blocking disabled?  That would potentially help narrow down the problem.

I don't have an ARM system to test with, so troubleshooting/fixing this is going to be difficult for me.

Bill

Offline Valiant

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #13 on: November 06, 2017, 12:00:40 am »
Question for you guys with SG-3100 systems:  have you tried running Snort in pure IDS mode with blocking disabled?  That would potentially help narrow down the problem.

I don't have an ARM system to test with, so troubleshooting/fixing this is going to be difficult for me.

Bill


Good suggestion, I tried unchecking the 'block offenders' option under Settings>Alert Settings, I assume that puts it into IDS mode.

Same result however, service stops  :(

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11914
  • Karma: +468/-15
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #14 on: November 06, 2017, 06:08:39 am »
Same here. I was running in non-blocking mode anyway.

My test box for this sees virtually no traffic to speak of unless I initiate it. Snort definitely remains running for far longer with only the GPL rules loaded.

Steve