Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNORT high load average killing all connections

This is the second time it has happened.. but on my XG firewall SNORT is murdering my firewalls and making them unusable.  WHYYY!!???

Seriously though.. did anyone else have this happen today or know what causes it?



This thread was automatically locked due to age.
Parents
  • Hi,

    firewall hardware version and software version will help with the responses, line speed, number of users etc.

    Ian

  • SFOS 18.0.5 MR-5-Build586  Less than 500 users on a XG330.  This is the second time this has happened. The CPU is pegged and the load average shoots up to 10.00 Thankfully I have been able to SSH in and kill off all of the hung SNORT processes which brings the load average down below 1.00 and data starts processing again.

    I am not sure if this is pattern update related.  Both times this has happened over night into the morning and we have been able to catch it without needing to reboot the firewalls or something like that.  I will gladly post logs or anything else needed.  

  • did the SNORT processes really hang?

    any chance, it was shortly after a IPS pattern update? check in the system log, or if they already timed out the events, got to backup firmware>pattern updates

    I have seen high SNORT load after some pattern updates where they said, they were some kind of faulty.

    some high CPU on that processes is quite normal. 500 users is good work for the machine.

  • an other tip: check your backup windows for the servers and clients and it's traffic - is IPS enabled for the FW rules from the sources server to the backup servers? this should be excluded from IPS.

  • No, backups in this scenario do not traverse the firewall.

  • I understand some high CPU is ok, but 99 percent CPU with a load average of 10.00 to 14.00 is absolutely not normal.  The first time it happened, I figured it was a one time thing and moved on.  This is now the second time it has happened. 

  • and probably you already checked /log/ips.log for anomalies in the night it happened? It is logging all the time, even if not IPS alert is triggered. Due to that the log is very short-living. Maybe you need to check on your syslog server for older logs.

Reply Children
No Data