Dear IPFire-Team, I am running IPFire 2.17 on a Wandboard Quad, my fireinfo profile is available here: http://fireinfo.ipfire.org/profile/5b2bd7f27142f30ab9a173bf09e68d2dc8c68068 Besides some issues, IPFire works fine except snort. Whenever I activate Snort and select some rules, the system crashes. There is no access via SSH/HTTPS any more, and "ping" results with "Destination Host Unreachable". The crash has been reproduced twice. The only solution I know at the moment is to disable snort. But since I want snort to be enabled (many attacks coming from the internet), this is not a very good solution. Is there any other possibility to fix this issue? Thanks in advance, Timmothy Wilson
First of all: Snort gives you nothing. Secondly: Please attach the trace of the crash or any useful debugging information.
And please do not change the bug priorities.
(In reply to Michael Tremer from comment #1) > First of all: Snort gives you nothing. I don't agree with that. Why does IPFire contain snort if it is unuseful? (Of course, this doesn't belong to the topic.) > > Secondly: Please attach the trace of the crash or any useful debugging > information. How do I get those? (I'm a newbie, you know) I didn't see any printed on the serial console. The system just freezes, with no trace messages or anything. If the output of any command might help, please tell me. (In reply to Michael Tremer from comment #2) > And please do not change the bug priorities. Oh, I'm sorry.
Maybe Arne can advice...
(In reply to Michael Tremer from comment #1) > First of all: Snort gives you nothing. > > Secondly: Please attach the trace of the crash or any useful debugging > information. I checked /var/log/snort: $ ls -lah total 12K drwxr-xr-x 2 snort snort 4.0K Mar 10 19:01 . drwxr-xr-x 15 root root 4.0K Mar 12 02:46 .. -rw-r--r-- 1 root root 0 Mar 10 19:01 alert -rw-r--r-- 1 root root 20 Mar 10 19:01 alert.1.gz -rw-r--r-- 1 root root 0 Mar 9 10:21 snort.log.1425892889 -rw-r--r-- 1 root root 0 Mar 10 18:06 snort.log.1426007213 -rw-r--r-- 1 root root 0 Mar 10 18:08 snort.log.1426007295 The tree log files are blank. In my opinion, this is strange because if snort would crash, there would be some lines in the logs. I really have no idea what to think about this. Sorry.
Hello, I tried to enable snort without any rules. This works. I am now trying to enable just one or two rules...
(In reply to Timmothy Wilson from comment #6) > Hello, > > I tried to enable snort without any rules. > > This works. I am now trying to enable just one or two rules... I enabled "emerging_activex.rules" (containing 220 rules?). Works. Maybe the bug is in one of the snort rules causing an infinitive loop?
Activated several rules, no problems seen until activating ruleset "misc". Then the system froze (see screenshot attached, it is showing the output of "tail -f /var/log/messages"). Recovered the system by restoring an old snort.conf, now the "ids.cgi" page in the WebIF crashes. Seems like a rule in "misc.rules" causes the crash...
Created attachment 274 [details] Screenshot of "tail -f /var/log/messages" Enabled "misc.rules" at 17:26, then the system froze.
Dear IPFire-Team, since I recovered the system, I tried to enable a snort configuration which worked before the crash: Active on RED Enabled rulesets: activex attack_response ciarmy dshield mobile_malware scan exploit botcc rbn rbn_malvertises dos netbios shellcode malware # quite slow! trojan # quite slow! drop dns worm web_client user_agent I did not install Guardian. After I entered the configuration above in the WebIF and hit "Update", the system froze, just like the other times before. Because of this, the bug doesn't seem to be limited to "misc.rules". For a workaround, I disabled snort temporarily. Any idea how to solve this? Again there are no log entries. Thanks in advance, Timmothy Wilson
Created attachment 279 [details] Kernel crash messages Dear IPFire-Team, I finally got some crash messages by the kernel. The crash occured ~ 2min after enabling snort. I hope this helps. Timmothy Wilson
Issue is not fixed in core update 89 - tested a few hours ago.
Removed needinfo flag - the kernel crash messages should do it. If there is anything which would help you (output of commands, ...), please let me know.
I am also having this same issue on 2.17 Core Update 89. I also noticed when I try to enable snort for green red and blue that it is not running on all 3 interfaces. Sometime it is any 2 of the 3 or any 1 of the 3 bit never all 3. Has something changed in snort or could it be the rules it is downloading and using?
It does this on a fresh install.
The IPFire main team have not the resources to investigate and fix this. I fear upstream will also not found and fix it because it only occours on kernel 3.14 with grsecurity on arm. I think no other distribution use the combination. Im thinking about disabling snort on arm completly.
(In reply to Arne Fitzenreiter from comment #16) > The IPFire main team have not the resources to investigate and fix this. That's okay for me - you can't save the world. ;-) > > I fear upstream will also not found and fix it because it only occours on > kernel 3.14 with grsecurity on arm. Does this mean that it basically works with newer kernels? I saw that you can't upgrade to a newer one unless the grsecurity project released their stable version for newer kernels. > I think no other distribution use the combination. I think so, too. > > Im thinking about disabling snort on arm completly. If snort would work with newer kernels and we just have to wait for the grsecurity stuff, I would prefer to leave it enabled. In my opinion, disabling snort on arm would be a huge loss of security; many people run arm boards as private routers, and it would be very nice if this feature would not be limited to i686-systems. What do you think about this? Best regards, Timmothy Wilson
Seems to be a compiler bug because current nightly builds work without changes on kernel or snort after we had updated the gcc.
(In reply to Arne Fitzenreiter from comment #18) > Seems to be a compiler bug because current nightly builds work without > changes on kernel or snort after we had updated the gcc. Hello Arne, tanks for your reply. At the moment I have no spare system to test this. :-( Nevertheless, it is great news! Best regards, Timmothy Wilson
crash still exists with IPFire 2.19 (armv5tel) - Core Update 100 which has updated kernel, gcc etc. ---------------------------------- PAX: snort:2125, uid/euid: 0/0, attempted to access userland memory at 0011aea0 Internal error: : 1b [#1] SMP ARM Modules linked in: nfnetlink_queue nfnetlink_log nfnetlink ipt_MASQUERADE ccm xt_mac xt_nat xt_mark xt_policy xt_TCPMSS xt_conntrack xt_comment ipt_REJECT xt_LOG xt_limit iptable_raw iptable_mangle iptable_nat nf_nat_ipv4 nf_nat iptable_filter 8021q garp vfat fat sch_fq_codel arc4 rtl8192cu(O) rtl_usb(O) rtl8192c_common(O) b53_mdio rtlwifi(O) b53_common mac80211(O) swconfig cfg80211(O) compat(O) stmmac ptp pps_core sunxi_wdt lp parport ahci_sunxi ahci_platform libahci CPU: 0 PID: 2125 Comm: snort Tainted: G O 3.14.65-ipfire-multi #1 CPU: Allwinner A20 (SUN7I) Board: Bananapi I2C: ready DRAM: 1 GiB MMC: SUNXI SD/MMC: 0
My ARM-system is now running on Core Update 100 with snort enabled. There were no issues at all, the system load is remarkably low (~ 0.2 idle). However, I haven't tried it on a Banana Pi yet, but it sounds weird to me that snort is still causing crashes on the same architecture.
Created attachment 482 [details] Kernel crash messages (2016-10-09) Seems like this issue is still open. My firewall (profile: http://fireinfo.ipfire.org/profile/20df6dc5b9451a5816f5c10a594ac11d31bc302e) cashed with a grsec error today. Please see the kernel crash message attached.