Project

General

Profile

Actions

Bug #6235

closed

Snort sometimes crashes during rule update process (specifically related to VRT .so rule update?)

Added by Andrew W almost 6 years ago. Updated 7 months ago.

Status:
Resolved
Priority:
Normal
Category:
Snort
Target version:
-
Start date:
04/22/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

Snort occasionally crashes during the rule update process and doesn't start again until I manually restart it via the GUI. When the crash occurs, it usually crashes with signal 11 (SIGSEGV), but most recently it crashed with signal 4 (SIGILL). The logs from the latest crash are as follows:

Apr 20 04:00:01 x php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2980.tar.gz...
Apr 20 04:00:13 x php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort VRT rules file update downloaded successfully
Apr 20 04:00:13 x php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date...
Apr 20 04:00:14 x php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
Apr 20 04:00:15 x php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules file update downloaded successfully
Apr 20 04:00:26 x php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Updating rules configuration for: LAN ...
Apr 20 04:00:28 x kernel: pid 65324 (snort), uid 0: exited on signal 4
Apr 20 04:00:28 x kernel: igb1: promiscuous mode disabled
Apr 20 04:00:42 x php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Enabling any flowbit-required rules for: LAN...
Apr 20 04:00:44 x php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] Building new sid-msg.map file for LAN...
Apr 20 04:00:51 x php: /usr/local/pkg/snort/snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Apr 20 04:00:51 x check_reload_status: Syncing firewall
[End of logs for Apr 20]

From /var/log/snort/snort_rules_update.log:

Starting rules update...  Time: 2016-04-20 04:00:00
        Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5...
        Checking Snort VRT rules md5 file...
        There is a new set of Snort VRT rules posted.
        Downloading file 'snortrules-snapshot-2980.tar.gz'...
        Done downloading rules file.
        Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
        Checking Snort OpenAppID detectors md5 file...
        Snort OpenAppID detectors are up to date.
        Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
        Checking Emerging Threats Open rules md5 file...
        There is a new set of Emerging Threats Open rules posted.
        Downloading file 'emerging.rules.tar.gz'...
        Done downloading rules file.
        Extracting and installing Snort VRT rules...
        Using Snort VRT precompiled SO rules for FreeBSD-10-0 ...
        Installation of Snort VRT rules completed.
        Extracting and installing Emerging Threats Open rules...
        Installation of Emerging Threats Open rules completed.
        Copying new config and map files...
        Updating rules configuration for: LAN ...
The Rules update has finished.  Time: 2016-04-20 04:00:51

Notice above that the Snort VRT precompiled SO rules were updated - on previous days that these rules were not updated, the snort update process completed successfully without the snort process crashing. I wonder if the .so's are being modified such that the running snort process will crash upon trying to call a function provided by the updated libraries (after the function address has been resolved based on the old .so).

PfSense Machine Specs:

Netgate RCC-DFF    
Intel(R) Atom(TM) CPU C2338 @ 1.74GHz
2.3-RELEASE (amd64) 
built on Mon Apr 11 18:28:29 CDT 2016 
FreeBSD 10.3-RELEASE

I've had these problems for the last few months (running 2.2.6 as well.)

Please let me know what additional information I can provide. Thanks!


Files

snort_check_for_rule_updates.patch (2.18 KB) snort_check_for_rule_updates.patch Sander Peterse, 04/16/2021 03:04 AM
Actions

Also available in: Atom PDF