Processor at 100% load due to snort sync
-
I'm running 2.4.3-RELEASE-p1 (amd64) on an AMD Athlon(tm) 64 X2 Dual Core Processor 3600+
2 CPUs.I've noticed that at some point during the last few days, my pfsense processor went up to 100%.
In the console I've run:[2.4.3-RELEASE][root@bastion1.localdomain]/root: ps auxww USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 42104 15.6 3.3 406204 136256 - R 09:26 0:07.96 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 81405 15.1 3.4 402108 138688 - R 09:25 0:16.43 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 78590 15.0 3.5 410300 145508 - R 09:25 0:21.76 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 15840 14.9 2.6 369340 105424 - R 09:26 0:10.46 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 49098 14.6 2.6 367292 106452 - R 09:25 0:16.89 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 25532 14.2 3.3 406204 136788 - R 09:26 0:08.19 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 28431 14.0 3.3 404156 136248 - R 09:26 0:08.24 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 86075 13.8 3.4 408252 141720 - R 09:25 0:15.43 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 6115 13.7 3.0 385724 123572 - R 09:25 0:19.85 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 26405 13.5 3.2 393916 130400 - R 09:25 0:18.02 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 25512 13.4 3.1 387772 126192 - R 09:24 0:24.63 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 57326 11.8 2.8 377404 115248 - R 09:25 0:15.67 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 18234 11.6 2.5 363068 100928 - R 09:26 0:08.98 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 76254 8.0 1.4 309948 56464 - R 09:27 0:01.36 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 81664 7.7 1.0 293564 42732 - R 09:27 0:00.78 /usr/local/bin/php-cgi -f /tmp/snort_sync_cmds.php root 49657 1.7 0.8 287128 31976 - S 03:06 5:12.68 php-fpm: pool nginx (php-fpm) root 40884 1.6 0.8 287128 32744 - S Sun14 2:06.11 php-fpm: pool nginx (php-fpm)
I am unable to stop the snort process neither in the interface or in the command line.
Any ideas?
-
As a short-term fix disable Snort HA sync on the SYNC tab in Snort on the master firewall, and then reboot the slave firewall. That will stop the problem for now. That PHP file is created on the slave firewall by the master when "syncing" a Snort configuration from master to one or more slaves. That PHP file contains a series of commands for the slave to execute.
Instead of rebooting, you can also try killing all those php-cgi process IDs. They are all trying to execute the same PHP file and likely stepping all over and blocking each other.