The pfSense Store

Author Topic: Snort + SG-3100 = exited on signal 10  (Read 1465 times)

0 Members and 1 Guest are viewing this topic.

Offline mcury

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #30 on: December 10, 2017, 09:29:11 pm »
Yes, it`s working perfectly fine.
Didn`t have a single crash so far, running only on my LAN, IPS mode (blocking mode enabled), not inline, didn`t test this yet.

Offline drewsaur

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +1/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #31 on: December 11, 2017, 06:25:53 am »
Hmm, interesting. Is Suricata still running OK for you?

I initially thought this also but found Suricata crashed out after some time. However I'm re-testing it now and it's still running....so far.

Steve

Are you running in inline mode or legacy mode? From what I can tell, inline mode isn't ready yet for the 3100 due to lack of driver support, which the team is working on.

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11959
  • Karma: +469/-15
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #32 on: December 11, 2017, 09:59:52 am »
Running in non-blocking mode currently. One step at a time  ;)

Previously it wasn't running at all from what I could see but now seems good at 24hrs+.

Steve

Offline sean.allen

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #33 on: December 27, 2017, 04:23:52 pm »
Just checking back in. Any movement getting snort fully functional on SG-3100/ARM? I'm really interested in the new app detection stuff, so running Suricata doesn't scratch the itch. Really happy with my SG-3100 so far (but for this). I'm happy to help test/troubleshoot if my rig can be of assistance.

From the thread, it looks non-trivial based on some old bad programming habits. Not sure how hard that is to track down and fix  :(

Thanks for any and all help!

Sean

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3221
  • Karma: +835/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #34 on: December 28, 2017, 11:28:22 am »
Just checking back in. Any movement getting snort fully functional on SG-3100/ARM? I'm really interested in the new app detection stuff, so running Suricata doesn't scratch the itch. Really happy with my SG-3100 so far (but for this). I'm happy to help test/troubleshoot if my rig can be of assistance.

From the thread, it looks non-trivial based on some old bad programming habits. Not sure how hard that is to track down and fix  :(

Thanks for any and all help!

Sean

No firm progress yet.  I did manage to find where generally in the code it is failing (at least one point).  It appears to be in the loading of the Stream5 preprocessor.  Debugging this has proven challenging because when I build Snort with debugging enabled it does not crash!  It only crashes with debugging disabled.  Without the debugging symbols being enabled, troubleshooting the crash is very difficult.

I've not had much time to troubleshoot over the Christmas holidays.  Since those are winding down, I should have more time to devote to the troubleshooting task.  I have an SG-3100 appliance I am testing with.  It was generously provided by the pfSense team.

Bill

Offline Maxburn

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #35 on: January 01, 2018, 01:37:27 pm »
Ouch, I literally just bought one of these today because I wanted to get introduced to pfSense and things like Snort. Saw mention elsewhere it didn't work on the SG1000 but missed this about the SG3100. I'm subscribed and best of luck but I think I'm going to put in more research on Qotom.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3221
  • Karma: +835/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #36 on: January 03, 2018, 09:44:05 am »
Ouch, I literally just bought one of these today because I wanted to get introduced to pfSense and things like Snort. Saw mention elsewhere it didn't work on the SG1000 but missed this about the SG3100. I'm subscribed and best of luck but I think I'm going to put in more research on Qotom.

Reports from other SG-3100 users indicate Suricata works fine on the hardware.  Just use Suricata for now.  There is no meaningful security difference between it and Snort.  The only functional difference is Snort currently offers OpenAppID while Suricata does not, but then Suricata is multi-threaded and has Inline IPS Mode while Snort does not.

Bill

Offline stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11959
  • Karma: +469/-15
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #37 on: January 03, 2018, 05:46:25 pm »
Yes Suricata seems to run fine on the SG-3100.

The only issue with it I have seen is that the package does not survive a firmware update for some reason I've yet to determine. It requires un-installing and then re-installing (not just hitting the reinstall button) after updating.

Not a huge issue unless you're following development snapshots and updating everyday. Like me.  ;)

Steve