Netgate SG-1000 microFirewall

Author Topic: Snort + SG-3100 = exited on signal 10  (Read 2339 times)

0 Members and 1 Guest are viewing this topic.

Offline Missionary Admin

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #45 on: January 29, 2018, 06:21:29 pm »
I tried adjusting the STREAM5 settings.  Behavior of crash changed.  FATAL ERROR: /usr/local/etc/snort/snort_11522_mvneta0/rules/snort.rules(6083) Unknown rule option: 'stream_size'.

I should note that I have 2 interfaces setup.  I have a redundant WAN setup and am trying to set snort to monitor both of these.  mvneta2 is the WAN port.  mvneta0 is Opt1 which I have labeled WAN2.  Prior new package release WAN2 would run but WAN would not.  Now my behavior is the exact opposite.  WAN will run but WAN2 will not.  I did read the release notes.  I did a total uninstall of snort and reinstalled.

I am very disappointed with the SG3100.  I did not do my research good enough.  I have an SG2440 I set up at one of my sites that works great.  I went to buy another but it was end of sale.  I only bought this because the end of sale page for SG2440 showed this was the recommended replacement.  Guess I should have read a little deeper.  I will be contacting Netgate to see if we can get the money back.  Don't have a big network but need the redundant LAN as I am in Haiti and the internet here is not reliable so we have 2 providers.

Offline atrotter01

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #46 on: January 29, 2018, 06:34:52 pm »
This crash is likely related to having a rule enabled that needs the preprocessor.  I am able to get it to run but only with that option disabled and minimal rules enabled.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3298
  • Karma: +862/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #47 on: January 29, 2018, 08:38:39 pm »
I just checked my test SG-3100 and Snort is still running with all of the "default enabled" preprocessors enabled.  In other words, an out-of-the-box install with several OpenAppID rule categories and the Snort Subscriber Rules "IPS Connectivity" policy enabled.

I have it running on the LAN of this test box and the WAN is not connected.  Basically I have the SG-3100 sitting on my LAN.  I am getting alerts for the HTTP_INSPECT stuff as I have no suppression list enabled.

Bill

Offline atrotter01

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #48 on: January 29, 2018, 08:43:10 pm »
Do you have any other packages, or anything else, setup on your test SG-3100?  There must be some difference between mine and your's that causes mine to crash.  Mine is used as my primary router, so I do have LAN and WAN configured. I also have many other packages installed.  If you have any other suggestions I am happy to try anything to get it working.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3298
  • Karma: +862/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #49 on: January 29, 2018, 08:45:36 pm »
This crash is likely related to having a rule enabled that needs the preprocessor.  I am able to get it to run but only with that option disabled and minimal rules enabled.

Let's double-check the binary you have installed.  First, are you on an SG-3100 and is it running 2.4.2?

Do

Code: [Select]
ls -l /usr/local/bin/snort
and you should get a file size of 2112260.

Next, calculate the MD5 of the binary:

Code: [Select]
md5 /usr/local/bin/snort
you should get: 
Code: [Select]
MD5 (snort) = d68fbb7e854e4ed7d16184c0a67d611b
Let me know what you have for these checks.

Bill

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3298
  • Karma: +862/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #50 on: January 29, 2018, 08:46:32 pm »
Do you have any other packages, or anything else, setup on your test SG-3100?  There must be some difference between mine and your's that causes mine to crash.  Mine is used as my primary router, so I do have LAN and WAN configured. I also have many other packages installed.  If you have any other suggestions I am happy to try anything to get it working.

Nope, no other packages.  Just Snort.  I was given this box to test with by the Netgate folks, and so I just stuck it on my network while I worked on getting Snort to run.

Bill

Offline atrotter01

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #51 on: January 29, 2018, 08:51:43 pm »
It looks like I am somehow getting a different binary.  I am running 2.4.2_1 of pfSense.

[2.4.2-RELEASE][admin@pfsense]/root: ls -lusr/local/bin/snort
-r-xr-xr-x  1 root  wheel  1377676 Jan 25 22:20 /usr/local/bin/snort
[2.4.2-RELEASE][admin@pfsense]/root: md5 /usr/local/bin/snort
MD5 (/usr/local/bin/snort) = 35d9aa2e1e46543242a4c404f015fc8d

Running snort --help gives me this version:

Version 2.9.11.1 GRE (Build 268) FreeBSD

Package manager shows 3.2.9.6 installed with snort-2.9.11.1.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3298
  • Karma: +862/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #52 on: January 29, 2018, 08:54:48 pm »
It looks like I am somehow getting a different binary.  I am running 2.4.2_1 of pfSense.

[2.4.2-RELEASE][admin@pfsense]/root: ls -lusr/local/bin/snort
-r-xr-xr-x  1 root  wheel  1377676 Jan 25 22:20 /usr/local/bin/snort
[2.4.2-RELEASE][admin@pfsense]/root: md5 /usr/local/bin/snort
MD5 (/usr/local/bin/snort) = 35d9aa2e1e46543242a4c404f015fc8d

Running snort --help gives me this version:

Version 2.9.11.1 GRE (Build 268) FreeBSD

Package manager shows 3.2.9.6 installed with snort-2.9.11.1.

Yes, your binary is different.  Let me investigate that and see what's going on.

Bill

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3298
  • Karma: +862/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #53 on: January 29, 2018, 09:05:02 pm »
OK, the binary that is installing is not correct.  I will need to get with the pfSense team to find out why.

In my case, because I had manually installed my "fixed" binary package during testing, when I removed the Snort package from my SG-3100 the actual binary was not getting deleted.  Thus even though I was removing the package and installing it fresh during subsequent testing today, my actual binary was not getting changed and my test version binary was being used again.  That's why it worked for me.  So the fix really works, but for some reason the build of the binary on the Netgate respository is not including my "fix".

EDIT UPDATE: found out after some investigation that one of my patch files got omitted when everything was cherry-picked into the Netgate/pfSense repository.  I've notified the pfSense team and they should get things squared away soon.  When I get confirmation of the fixed binary being posted, I will post a message to this thread.  SG-3100 users can then once again remove and reinstall the Snort package to get the fixed binary.

Sorry for the trouble ...  ;).  I knew it was working on my end, so when I saw reports here to the contrary I was baffled at first.  Glad to figure out what actually happened.

Bill

« Last Edit: January 29, 2018, 09:26:02 pm by bmeeks »

Offline atrotter01

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #54 on: January 30, 2018, 06:03:54 pm »
OK, the binary that is installing is not correct.  I will need to get with the pfSense team to find out why.

In my case, because I had manually installed my "fixed" binary package during testing, when I removed the Snort package from my SG-3100 the actual binary was not getting deleted.  Thus even though I was removing the package and installing it fresh during subsequent testing today, my actual binary was not getting changed and my test version binary was being used again.  That's why it worked for me.  So the fix really works, but for some reason the build of the binary on the Netgate respository is not including my "fix".

EDIT UPDATE: found out after some investigation that one of my patch files got omitted when everything was cherry-picked into the Netgate/pfSense repository.  I've notified the pfSense team and they should get things squared away soon.  When I get confirmation of the fixed binary being posted, I will post a message to this thread.  SG-3100 users can then once again remove and reinstall the Snort package to get the fixed binary.

Sorry for the trouble ...  ;).  I knew it was working on my end, so when I saw reports here to the contrary I was baffled at first.  Glad to figure out what actually happened.

Bill

Thanks for the update! I am glad it was something simple and not another issue!  :)

Offline mcury

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #55 on: February 01, 2018, 09:42:21 am »
Patch is ready or not?

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3298
  • Karma: +862/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #56 on: February 01, 2018, 05:55:31 pm »
Patch is ready or not?

The patch has been ready since January 18th, but when my submitted files for the last Snort update got merged into the pfSense repository one of the patch files for the binary was accidentally omitted during the cherry pick process.  I notified the pfSense team this past Monday evening of the oversight and provided them another copy of the missing file.  The new package is not yet posted, though.

Bill

Offline mcury

  • Newbie
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #57 on: February 02, 2018, 06:22:38 am »
Patch is ready or not?

The patch has been ready since January 18th, but when my submitted files for the last Snort update got merged into the pfSense repository one of the patch files for the binary was accidentally omitted during the cherry pick process.  I notified the pfSense team this past Monday evening of the oversight and provided them another copy of the missing file.  The new package is not yet posted, though.

Bill

Thanks Bill, I almost installed the previous version, I`ll be waiting, thanks for everything.

Best regards,

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 736
  • Karma: +154/-135
    • View Profile
    • Netgate
Re: Snort + SG-3100 = exited on signal 10
« Reply #58 on: February 02, 2018, 07:12:08 am »
It will be there soon, apologies for the wait!
Need help fast? Commercial support: https://www.netgate.com/support/

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3298
  • Karma: +862/-0
    • View Profile
Re: Snort + SG-3100 = exited on signal 10
« Reply #59 on: February 02, 2018, 08:57:53 am »
The fix for Snort on SG-3100 and similar armv6/armv7 devices disables the clang compiler optimizations.  Those optimizations by the compiler generate some machine code sequences that lead to the SIGBUS crash.  So one of my patches goes into the configure script for the Snort binary.  When it detects the compilation target as ARM architecture, it turns off compiler optimizations.  When compiling for Intel/AMD architectures it leaves the compiler optimizations in place.  The file that patches the configure script to include this logic is what got accidentally omitted.

So the resulting fixed binary will be slightly larger in size and will not be quite as efficient as the optimized code, but at least it will run on ARM architecture.  The binary for Intel/AMD hardware is the same as it has always been.  The compiler optimizations will be there for the amd64 code base (Intel and AMD).

Bill