Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 735 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Service Issue 2022/01/25 - (SFOS 18.0.5 MR-5-Build586)

djdrastic

Checking if anyone had any IPS issues today ?

Box at one of my sites picked up an IPS and Application Pattern update in the afternoon and did this .

System load got as high as 32 at a stage and had to reload box .

Could barely get into the web ui console it was so slow.

Switched off IPS as a precaution for now.

Snort and Garner using pretty much all compute power



This thread was automatically locked due to age.
Parents
  • 0

    I checked multiple installations. No spikes. 

    What kind of installation is this? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi it's an virtual instance running on VMWare running IPS and inline http content filtering.

    I have a couple of other vm instances and they are chugging along fine weirdly enough with the same patterns.

    top load averages  in top right corner at the time of incident was 9.52,14.15,14.41

    Top 3 processes were

    98.6% CPU - snort

    40.3% CPU - garner

    8.9 % CPU - fqndnd

    Busy combing through ips.log and syslog.log to try and figure out what went on here.

  • 0 in reply to djdrastic

    did not see that spike here. This is eventually caused by high network traffic. e.g. someone moved a VM or big data to different datastore or similar hitting a rule with IPS.

    Check for high volume hosts today 

  • 0 in reply to LHerzog

    Possible though the SNMP graphs don't show much traffic at the moment.Will check through the top talkers if we can see anything.

    More or less the timeframe indicated that the system received an IPS / Application Pattern update

    [Jan 25 11:52:50 :5715]:signo_handler: got signal 16384
    [Jan 25 11:52:50 :5715]:setVariable: set signal 49
    [Jan 25 11:52:50 :19710]:signo_handler: got signal 16384
    [Jan 25 11:52:50 :19710]:setVariable: set signal 49
    [Jan 25 11:52:50 :22371]:csigno_handler: got signal 49
    [Jan 25 11:52:50 :22372]:csigno_handler: got signal 49
    [Jan 25 11:52:50 :22373]:csigno_handler: got signal 49
    [Jan 25 11:52:50 :22374]:csigno_handler: got signal 49
    [Jan 25 11:52:50 :5715]:dlen 40 : data <IPS_STR:1:0IPS_RECONF:5:37203IPS_END:1:0>
    [Jan 25 11:52:50 :5715]:cleaning update list
    [Jan 25 11:52:50 :5715]:start update_status 0 tlv 0
    [Jan 25 11:52:50 :5715]:get reconfig.
    [Jan 25 11:52:50 :5715]:system FreeRam 223888 Kb ,Master Rss 427628 Kb, Threshold 102400 Kb, restart 1
    [Jan 25 11:52:51 :5715]:kernel caches dropped:1
    [Jan 25 11:52:51 :5715]:Max wait for start snort 899
    [Jan 25 11:52:51 :19710]:Master Process exiting
    [Jan 25 11:52:51 :19710]:child 22373 dead
    [Jan 25 11:52:51 :19710]:child 22371 dead
    [Jan 25 11:52:51 :19710]:IPS: Master process is going down
    [Jan 25 11:52:51 :19710]:child 22374 dead
    [Jan 25 11:52:51 :19767]:Enabling inline operation
    [Jan 25 11:52:51 :19767]:Found pid path directive (/tmp/snort/pids)
    [Jan 25 11:52:51 :19767]:Search-Method = ac-bnfa
    [Jan 25 11:52:51 :19767]:Running in IDS mode
    [Jan 25 11:52:51 :19767]:
    [Jan 25 11:52:51 :19767]:        --== Initializing Snort ==--
    [Jan 25 11:52:51 :19767]:Initializing Output Plugins!
    [Jan 25 11:52:52 :19767]:Initializing Preprocessors!
    [Jan 25 11:52:52 :19767]:Initializing Plug-ins!
    [Jan 25 11:52:52 :19767]:Parsing Rules file "/etc/snort/etc/snort.conf"
    [Jan 25 11:52:52 :19767]:validateSchema: sig schema is 16 16
    [Jan 25 11:52:52 :19767]:WARNING: /etc/snort/etc/snort.conf(21) Unknown config directive: maxsesbytes.
    [Jan 25 11:52:52 :19767]:WARNING: /etc/snort/etc/snort.conf(22) Unknown config directive: qnum.
    [Jan 25 11:52:52 :19767]:WARNING: /etc/snort/etc/snort.conf(25) Unknown config directive: stdsig.
    [Jan 25 11:52:52 :19767]:WARNING: /etc/snort/etc/snort.conf(26) Unknown config directive: stream.
    [Jan 25 11:52:53 :19710]:Snort exiting
    [Jan 25 11:52:53 :5715]:child 19710 dead

    [Jan 25 12:00:42 :28370]:child 5387 dead
    [Jan 25 12:00:42 :28370]:cdata[3].lstatus for pid 5387 set
    [Jan 25 12:00:42 :28370]:Worker killed 11 times, Exiting
    [Jan 25 12:00:42 :28370]:child 6770 dead
    [Jan 25 12:00:42 :28370]:IPS: Master process is going down
    [Jan 25 12:00:42 :28370]:child 5568 dead
    [Jan 25 12:00:43 :28370]:Snort exiting
    [Jan 25 12:00:43 :28324]:child 28370 dead
    [Jan 25 12:00:43 :28324]:Snort master goes down: state: 1: exited, status=1
    [Jan 25 12:00:43 :28324]:on error
    [Jan 25 12:00:43 :28324]:exited(28370): exited, status=1

  • 0 in reply to djdrastic

    Nothing special here today:

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to jprusch

    Thanks all . Will log a call with Sophos.

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?