Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 25 replies
  • Subscribers 30 subscribers
  • Views 3253 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNORT high load average killing all connections

Brian Straka

This is the second time it has happened.. but on my XG firewall SNORT is murdering my firewalls and making them unusable.  WHYYY!!???

Seriously though.. did anyone else have this happen today or know what causes it?



This thread was automatically locked due to age.
Parents
  • 0

    Do you know of a way to completely restart SNORT via CLI?  I have been just killing processes off... is there another way?

  • 0 in reply to Brian Straka

    OK, the graph definately peaks out!

    I'm not aware of such a command to stop IPS on shell.

    Is your setup HA cluster? Did you perform any (even minor) change at about 8:00 yesterday? Please check Admin log for changes.

    I have an issue where a change on a RED would kill the cluster in a HA environment after some minutes. I sometimes noticed high SNORT CPU in such a situation.

    I found this thread https://community.sophos.com/sophos-xg-firewall/f/discussions/82468/cluster-xg-310---snort-100---firewall-block-all-traffic-and-routing which is describing some of your problems.

    Can you check ips-settings?

    console> sh ips-settings 

    -------------IPS Settings-------------

    stream on

    lowmem off

    maxsesbytes 0

    maxpkts 8

  • 0 in reply to LHerzog

    OK, the graph definately peaks out!

    I'm not aware of such a command to stop IPS on shell.

    Is your setup HA cluster? Did you perform any (even minor) change at about 8:00 yesterday? Please check Admin log for changes.

    I have an issue where a change on a RED would kill the cluster in a HA environment after some minutes. I sometimes noticed high SNORT CPU in such a situation.

    When the issue is happening, I ask you to ping the aux/peer HA node Cluster IP from shell (note it before). Is it responding?

    console> system ha show details
     HA status              : Enabled
     Current Appliance Key  : xxx
     Peer Appliance Key     : xxx
     Current HA state       : Primary
     Peer HA state          : Auxiliary
     HA Config Mode         : Active-Passive
     Load Balancing         : Not Applicable
     Dedicated Port         : PortX
     Current Dedicated IP   : xxx.xxx.xxx.xxx
     Peer Dedicated IP      : xxx.xxx.xxx.xxx

    I found this thread https://community.sophos.com/sophos-xg-firewall/f/discussions/82468/cluster-xg-310---snort-100---firewall-block-all-traffic-and-routing which is describing some of your problems.

    Can you check ips-settings?

    console> sh ips-settings 

    -------------IPS Settings-------------

    stream on

    lowmem off

    maxsesbytes 0

    maxpkts 8

  • 0 in reply to LHerzog

    can you also please post last IPS pattern date/time update on your machine?

     cat /log/u2d.log | grep "pt_dload_checker" | grep "ips"

  • 0 in reply to LHerzog


    Tue Aug 03 07:24:29 2021 pt_dload_checker: Download for file ips_16.0_v18_18.18. 41.tar.gz.gpg passed integrity and gpg checks
    Tue Aug 03 07:24:29 2021 pt_dload_checker: Current ips patterns are at /content/ ips_16.0/18.18.40
    Tue Aug 03 07:24:29 2021 pt_dload_checker: New updated patterns are now at /cont ent/ips_16.0/18.18.41
    Tue Aug 03 07:25:45 2021 pt_dload_checker: Updated signature db for ips, version = 18.18.41.
    Tue Aug 03 07:25:45 2021 pt_dload_checker: Deleted pattern for module ips, versi on = 18.18.40 at /content/ips_16.0/18.18.40.
    Thu Aug 05 07:23:27 2021 pt_dload_checker: Starting download for file ips_16.0_v 18_18.18.42.tar.gz.gpg
    Thu Aug 05 07:24:26 2021 pt_dload_checker: Download completed for file ips_16.0_ v18_18.18.42.tar.gz.gpg
    Thu Aug 05 07:24:26 2021 pt_dload_checker: We are primary machine in HA. Syncing download for module ips to auxiliary machine
    Thu Aug 05 07:25:28 2021 pt_dload_checker: Download for file ips_16.0_v18_18.18. 42.tar.gz.gpg passed integrity and gpg checks
    Thu Aug 05 07:25:28 2021 pt_dload_checker: Current ips patterns are at /content/ ips_16.0/18.18.41
    Thu Aug 05 07:25:28 2021 pt_dload_checker: New updated patterns are now at /cont ent/ips_16.0/18.18.42
    Thu Aug 05 07:26:43 2021 pt_dload_checker: Updated signature db for ips, version = 18.18.42.
    Thu Aug 05 07:26:43 2021 pt_dload_checker: Deleted pattern for module ips, versi on = 18.18.41 at /content/ips_16.0/18.18.41.
    Wed Aug 11 01:24:27 2021 pt_dload_checker: Starting download for file ips_16.0_v 18_18.18.43.tar.gz.gpg
    Wed Aug 11 01:25:49 2021 pt_dload_checker: Download completed for file ips_16.0_ v18_18.18.43.tar.gz.gpg
    Wed Aug 11 01:25:49 2021 pt_dload_checker: We are primary machine in HA. Syncing download for module ips to auxiliary machine
    Wed Aug 11 01:26:50 2021 pt_dload_checker: Download for file ips_16.0_v18_18.18. 43.tar.gz.gpg passed integrity and gpg checks
    Wed Aug 11 01:26:50 2021 pt_dload_checker: Current ips patterns are at /content/ ips_16.0/18.18.42
    Wed Aug 11 01:26:50 2021 pt_dload_checker: New updated patterns are now at /cont ent/ips_16.0/18.18.43
    Wed Aug 11 01:28:08 2021 pt_dload_checker: Updated signature db for ips, version = 18.18.43.
    Wed Aug 11 01:28:08 2021 pt_dload_checker: Deleted pattern for module ips, versi on = 18.18.42 at /content/ips_16.0/18.18.42.
    Thu Aug 12 09:24:26 2021 pt_dload_checker: Starting download for file ips_16.0_v 18_18.18.44.tar.gz.gpg
    Thu Aug 12 09:25:27 2021 pt_dload_checker: Download completed for file ips_16.0_ v18_18.18.44.tar.gz.gpg
    Thu Aug 12 09:25:27 2021 pt_dload_checker: We are primary machine in HA. Syncing download for module ips to auxiliary machine
    Thu Aug 12 09:26:27 2021 pt_dload_checker: Download for file ips_16.0_v18_18.18. 44.tar.gz.gpg passed integrity and gpg checks
    Thu Aug 12 09:26:27 2021 pt_dload_checker: Current ips patterns are at /content/ ips_16.0/18.18.43
    Thu Aug 12 09:26:27 2021 pt_dload_checker: New updated patterns are now at /cont ent/ips_16.0/18.18.44
    Thu Aug 12 09:27:48 2021 pt_dload_checker: Updated signature db for ips, version = 18.18.44.
    Thu Aug 12 09:27:48 2021 pt_dload_checker: Deleted pattern for module ips, versi on = 18.18.43 at /content/ips_16.0/18.18.43.

Reply
  • 0 in reply to LHerzog


    Tue Aug 03 07:24:29 2021 pt_dload_checker: Download for file ips_16.0_v18_18.18. 41.tar.gz.gpg passed integrity and gpg checks
    Tue Aug 03 07:24:29 2021 pt_dload_checker: Current ips patterns are at /content/ ips_16.0/18.18.40
    Tue Aug 03 07:24:29 2021 pt_dload_checker: New updated patterns are now at /cont ent/ips_16.0/18.18.41
    Tue Aug 03 07:25:45 2021 pt_dload_checker: Updated signature db for ips, version = 18.18.41.
    Tue Aug 03 07:25:45 2021 pt_dload_checker: Deleted pattern for module ips, versi on = 18.18.40 at /content/ips_16.0/18.18.40.
    Thu Aug 05 07:23:27 2021 pt_dload_checker: Starting download for file ips_16.0_v 18_18.18.42.tar.gz.gpg
    Thu Aug 05 07:24:26 2021 pt_dload_checker: Download completed for file ips_16.0_ v18_18.18.42.tar.gz.gpg
    Thu Aug 05 07:24:26 2021 pt_dload_checker: We are primary machine in HA. Syncing download for module ips to auxiliary machine
    Thu Aug 05 07:25:28 2021 pt_dload_checker: Download for file ips_16.0_v18_18.18. 42.tar.gz.gpg passed integrity and gpg checks
    Thu Aug 05 07:25:28 2021 pt_dload_checker: Current ips patterns are at /content/ ips_16.0/18.18.41
    Thu Aug 05 07:25:28 2021 pt_dload_checker: New updated patterns are now at /cont ent/ips_16.0/18.18.42
    Thu Aug 05 07:26:43 2021 pt_dload_checker: Updated signature db for ips, version = 18.18.42.
    Thu Aug 05 07:26:43 2021 pt_dload_checker: Deleted pattern for module ips, versi on = 18.18.41 at /content/ips_16.0/18.18.41.
    Wed Aug 11 01:24:27 2021 pt_dload_checker: Starting download for file ips_16.0_v 18_18.18.43.tar.gz.gpg
    Wed Aug 11 01:25:49 2021 pt_dload_checker: Download completed for file ips_16.0_ v18_18.18.43.tar.gz.gpg
    Wed Aug 11 01:25:49 2021 pt_dload_checker: We are primary machine in HA. Syncing download for module ips to auxiliary machine
    Wed Aug 11 01:26:50 2021 pt_dload_checker: Download for file ips_16.0_v18_18.18. 43.tar.gz.gpg passed integrity and gpg checks
    Wed Aug 11 01:26:50 2021 pt_dload_checker: Current ips patterns are at /content/ ips_16.0/18.18.42
    Wed Aug 11 01:26:50 2021 pt_dload_checker: New updated patterns are now at /cont ent/ips_16.0/18.18.43
    Wed Aug 11 01:28:08 2021 pt_dload_checker: Updated signature db for ips, version = 18.18.43.
    Wed Aug 11 01:28:08 2021 pt_dload_checker: Deleted pattern for module ips, versi on = 18.18.42 at /content/ips_16.0/18.18.42.
    Thu Aug 12 09:24:26 2021 pt_dload_checker: Starting download for file ips_16.0_v 18_18.18.44.tar.gz.gpg
    Thu Aug 12 09:25:27 2021 pt_dload_checker: Download completed for file ips_16.0_ v18_18.18.44.tar.gz.gpg
    Thu Aug 12 09:25:27 2021 pt_dload_checker: We are primary machine in HA. Syncing download for module ips to auxiliary machine
    Thu Aug 12 09:26:27 2021 pt_dload_checker: Download for file ips_16.0_v18_18.18. 44.tar.gz.gpg passed integrity and gpg checks
    Thu Aug 12 09:26:27 2021 pt_dload_checker: Current ips patterns are at /content/ ips_16.0/18.18.43
    Thu Aug 12 09:26:27 2021 pt_dload_checker: New updated patterns are now at /cont ent/ips_16.0/18.18.44
    Thu Aug 12 09:27:48 2021 pt_dload_checker: Updated signature db for ips, version = 18.18.44.
    Thu Aug 12 09:27:48 2021 pt_dload_checker: Deleted pattern for module ips, versi on = 18.18.43 at /content/ips_16.0/18.18.43.

Children
No Data