Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.1 on pfSense 2.1 snapshots

    Scheduled Pinned Locked Moved
    pfSense Packages
    1
    2
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      breusshe
      last edited by

      I went up to pfSense v2.1 snapshot (currently at version 2.1-BETA0 (amd64) built on Fri Sep 7 13:36:41 EDT 2012 FreeBSD 8.3-RELEASE-p4) to see how it is working.  Seems fine, so I'm staying.  However, Snort has an issue with spawning multiple processes.  This will keep up until all resources are consumed.  At that time, a reboot is usually the best option to completely clear out the memory.  Usually, this is caused by a restart initiated by a rules update, so, I turned off automatic rules update.  Problem is still happening.  I really don't know why Snort keeps making more and more processes, I can't even give a time table on how often it occurs.  I have been watching Snort to see when it is happening, but I haven't been able to nail down a schedule.

      I have noticed one thing, though I have no idea if it is related.  There is a process called "check_reload_status" that is normally rather quiet.  However, when Snort is in the middle of bringing up a new process (which I've seen a few times now), this program is also taking up a significant amount of CPU time, usually around 30%. I don't know if this program is responsible for Snort spawning all of these processes, but thought I should pass it up the chain to see if other folks are noticing the same thing.

      1 Reply Last reply Reply Quote 0
      • B
        breusshe
        last edited by

        The more I look at this, I think it is the program check_reload_status that is causing Snort to spawn multiple, duplicate instances.  I'm going to kill the service for now and see if Snort stops misbehaving.  If so, I'll turn on auto-update again and see if Snort still behaves.

        I'll post results.

        UPDATE
        Just realized there are six instances of check_reload status running.  Think I just found the problem.  Now, does anyone know what is responsible for spawning this program?  I don't see it in crontab or in rc.d… at least, not directly.

        Also, when I try to kill any of these instances of check_reload_status, I get an "Operation not permitted" message.  Yea.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post