Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 21 replies
  • Subscribers 2 subscribers
  • Views 5159 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

pfilter report.

Simon Shaw
Please fix this ASAP.

My system is sometimes unresponsive due to this issue...
 5376 root      25   0 32428  12m 2692 R 91.5  0.6  11:01.24 pfilter-reporte

Peaking at around 95% CPU usage... Can I disable pfilter report??

Seems to be a bit of a bug since a lot of the time it barely uses any CPU despite system traffic being high.


This thread was automatically locked due to age.
  • 0
    You can disable it by commenting it out in /etc/syslog-ng.conf.template, then run syslog-templateparser.pl, then "/etc/init.d/syslogng reload". 
    The reporter won't be started then. Beware that you will lose the reporting data for portscans, sip/h232, dropped/rejected packets.

    The workload of the reporter is always a bit "peaky" because it accumulates and aggregates data over 5 minute timeframes, then inserts/updates into the database. The insert/update demands much more CPU than the regular baseline workload.
  • 0 in reply to andreas
    Ahhh, so if you have more packets being logged for dropped/rejected, then the more pfilter-reporter willl have to work! I get it now.
  • 0 in reply to andreas
    Andreas, what exactly to I comment out in syslog-ng.conf.template ?

    At the moment I only comment out:
    #destination d_pcktrr   { program("/usr/local/bin/reporter/pfilter-reporter.pl" ...
  • 0 in reply to ReD-MaN
    My gods... Killing pfilter-report... System runs like a dream now.. Hardly any ram or cpu being used and seems a lot snappier.

    Whens the ETA for a permanent fix?
  • 0 in reply to Simon Shaw
    heh..i think they have to recode it personally.  it's a system-wide DOS vulnerability.  Now that i know this workaround i'll post it on the blog(linking to this thread) once i get to my next client sit in ohio tomorrow..

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    Please sticky this until it is fixed.  Lots of people will be looking for this workaround.
  • 0 in reply to andreas
    You can disable it by commenting it out in /etc/syslog-ng.conf.template, then run syslog-templateparser.pl, then "/etc/init.d/syslogng reload". 
    The reporter won't be started then. Beware that you will lose the reporting data for portscans, sip/h232, dropped/rejected packets.

    The workload of the reporter is always a bit "peaky" because it accumulates and aggregates data over 5 minute timeframes, then inserts/updates into the database. The insert/update demands much more CPU than the regular baseline workload.


    If it is on a 5 minute timescale how can it then take DAYS or longer for it to quit nailing the cpu?  Also it should never be able to bring the system to it's knees no matter what.  With v4 and v5 this was not an issue.  What changed in v7 that this is now a DOS vector?  I have installed .006 and It takes longer to DOS the machine but it's still able to be DOS'ed.

    If I can bring down a p-4 i'm worried about your ASG 1xx and 2xx's.  They are both on weak platforms.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    egads...pfilter is a perl script?!?!?! I know there's a ton of perl in Astaro.  something's up with that one though.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    That made a huuuuuge difference.  I have the system under BT "attack" and the load was up at 4 and rising.  Once i killed pfilter it shot down to .48 within 5 seconds.  It's on my blog now.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    unfortunately that doesn't kill pfilter for good...only for one cycle? Maybe i'm doing something wrong.  Simon start up BT behind your firewall and see if pfilter spikes your cpu again...this way i can tell if that workaround truly works.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

Cookie Information Banner