Processor at 100% load due to snort sync



  • I'm running 2.4.3-RELEASE-p1 (amd64) on an AMD Athlon(tm) 64 X2 Dual Core Processor 3600+
    2 CPUs.

    I've noticed that at some point during the last few days, my pfsense processor went up to 100%.
    In the console I've run:

    [2.4.3-RELEASE][root@bastion1.localdomain]/root: ps auxww
    USER      PID %CPU %MEM     VSZ    RSS TT  STAT STARTED        TIME COMMAND
    root    42104 15.6  3.3  406204 136256  -  R    09:26       0:07.96 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    81405 15.1  3.4  402108 138688  -  R    09:25       0:16.43 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    78590 15.0  3.5  410300 145508  -  R    09:25       0:21.76 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    15840 14.9  2.6  369340 105424  -  R    09:26       0:10.46 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    49098 14.6  2.6  367292 106452  -  R    09:25       0:16.89 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    25532 14.2  3.3  406204 136788  -  R    09:26       0:08.19 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    28431 14.0  3.3  404156 136248  -  R    09:26       0:08.24 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    86075 13.8  3.4  408252 141720  -  R    09:25       0:15.43 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root     6115 13.7  3.0  385724 123572  -  R    09:25       0:19.85 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    26405 13.5  3.2  393916 130400  -  R    09:25       0:18.02 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    25512 13.4  3.1  387772 126192  -  R    09:24       0:24.63 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    57326 11.8  2.8  377404 115248  -  R    09:25       0:15.67 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    18234 11.6  2.5  363068 100928  -  R    09:26       0:08.98 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    76254  8.0  1.4  309948  56464  -  R    09:27       0:01.36 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    81664  7.7  1.0  293564  42732  -  R    09:27       0:00.78 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php
    root    49657  1.7  0.8  287128  31976  -  S    03:06       5:12.68 php-fpm: pool nginx (php-fpm)
    root    40884  1.6  0.8  287128  32744  -  S    Sun14       2:06.11 php-fpm: pool nginx (php-fpm)
    

    I am unable to stop the snort process neither in the interface or in the command line.

    Any ideas?



  • As a short-term fix disable Snort HA sync on the SYNC tab in Snort on the master firewall, and then reboot the slave firewall. That will stop the problem for now. That PHP file is created on the slave firewall by the master when "syncing" a Snort configuration from master to one or more slaves. That PHP file contains a series of commands for the slave to execute.

    Instead of rebooting, you can also try killing all those php-cgi process IDs. They are all trying to execute the same PHP file and likely stepping all over and blocking each other.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy