Snort 2.9.2.3 pkg v. 2.5.1 on pfSense 2.1 snapshots



  • I went up to pfSense v2.1 snapshot (currently at version 2.1-BETA0 (amd64) built on Fri Sep 7 13:36:41 EDT 2012 FreeBSD 8.3-RELEASE-p4) to see how it is working.  Seems fine, so I'm staying.  However, Snort has an issue with spawning multiple processes.  This will keep up until all resources are consumed.  At that time, a reboot is usually the best option to completely clear out the memory.  Usually, this is caused by a restart initiated by a rules update, so, I turned off automatic rules update.  Problem is still happening.  I really don't know why Snort keeps making more and more processes, I can't even give a time table on how often it occurs.  I have been watching Snort to see when it is happening, but I haven't been able to nail down a schedule.

    I have noticed one thing, though I have no idea if it is related.  There is a process called "check_reload_status" that is normally rather quiet.  However, when Snort is in the middle of bringing up a new process (which I've seen a few times now), this program is also taking up a significant amount of CPU time, usually around 30%. I don't know if this program is responsible for Snort spawning all of these processes, but thought I should pass it up the chain to see if other folks are noticing the same thing.



  • The more I look at this, I think it is the program check_reload_status that is causing Snort to spawn multiple, duplicate instances.  I'm going to kill the service for now and see if Snort stops misbehaving.  If so, I'll turn on auto-update again and see if Snort still behaves.

    I'll post results.

    UPDATE
    Just realized there are six instances of check_reload status running.  Think I just found the problem.  Now, does anyone know what is responsible for spawning this program?  I don't see it in crontab or in rc.d… at least, not directly.

    Also, when I try to kill any of these instances of check_reload_status, I get an "Operation not permitted" message.  Yea.


Log in to reply