Bug #14986
closed
Snort's Legacy Blocking Mode custom plugin code causes a Signal 11 and core dump when "kill states" option is enabled
100%
Description
It appears the changes in this commit approximately two weeks ago: https://github.com/pfsense/FreeBSD-ports/commit/4f0328385462efdd72f20ed4c037bc254630ebe4 introduced a bug in the Legacy Blocking module for Snort. Users on pfSense Plus 23.09 are reporting very frequent Signal 11 faults with a core dump since upgrading to the latest pfSense Plus version with the latest Snort binary.
Troubleshooting with a user having the issue on the Netgate forum, I had that user disable the "kill states" option in the package GUI. When that option disabled, the custom blocking module will still add the offending IP address to the pf snort2c table, but it will NOT call the code to clear any existing firewall states for the offender IP address. This mode of operation results in Snort running normally (albeit no longer killing open states for blocked IP addresses). Based on this result, I think there is an issue in the new code.
Files
Updated by Jonathan Lee over 1 year ago
pid 56711 (snort), jid 0, uid 0: exited on signal 11 (core dumped)
Also occurs on SG2100 Max now
Updated by Bill Meeks over 1 year ago
This bug is still under active investigation. I have experienced it three times over two days of running Snort in a CE 2.7.0-RELEASE virtual machine. The bug appears to happen randomly- sometimes within an hour and other times several hours elapse between instances.
Something like this that is not 100% reproducible using the same steps in each test is a challenge to find.
Updated by Bill Meeks over 1 year ago
This bug has likely been traced to the particular version of the libpfctl library bundled with pfSense CE 2.7.0, 2.7.1, and pfSense Plus 23.09. A fix for the libpfctl library package was submitted by its maintainer here: https://github.com/pfsense/FreeBSD-ports/commit/36019faf7b771be00808b184eda565f346c5ed5b.
Some additional code cleanup was done in the Snort custom output plugin used on pfSense to implement Legacy Blocking Mode. The pull request containing those code fixes is awaiting review and merge here: https://github.com/pfsense/FreeBSD-ports/pull/1326.
After these changes are all merged and new packages are built, final confirmation testing can performed.
Updated by Kristof Provost over 1 year ago
The relevant changes have been merged to 2.7.1 and 23.09.
The 23.09 build is currently failing due to unrelated changes, but 2.7.1 should be able to update already.
Updated by Bill Meeks over 1 year ago
The fix has deployed in package updates to both CE 2.7.1 and Plus 23.09. User feedback on the Netgate Forum indicates this bug is resolved.
Updated by Jim Pingle over 1 year ago
- Status changed from New to Resolved
- % Done changed from 0 to 100