Weird snort-openvpn behaviour



  • Hi all!

    I posted here since 2 packages are involved…
    We have 2 locations with same firewalls (pfsense 2.1 release).

    On location A I have OpenVPN server for roadwarriors.
    On location B I connect to this server with OpenVPN client.
    Configured with SSL-TLS+user auth.

    Now the weird thing...
    When connected CPU on pfsense on location B is OK.
    When I start to download file from location A to location B, snort goes crazy and consumes 100% CPU.
    See attached image.

    Any idea? Is this a bug maybe?

    Regards,
    M



  • @maverick_slo:

    Hi all!

    I posted here since 2 packages are involved…
    We have 2 locations with same firewalls (pfsense 2.1 release).

    On location A I have OpenVPN server for roadwarriors.
    On location B I connect to this server with OpenVPN client.
    Configured with SSL-TLS+user auth.

    Now the weird thing...
    When connected CPU on pfsense on location B is OK.
    When I start to download file from location A to location B, snort goes crazy and consumes 100% CPU.
    See attached image.

    Any idea? Is this a bug maybe?

    Regards,
    M

    From the looks of that screenshot, it appears you are a victim of multiple identical Snort processes getting started.  If you have only one interface with Snort active, then you should have only a single Snort process showing up.  You have four with the same GUID (the 10837 number).  Shut down Snort and then kill any remaining Snort processes.  Start Snort again and see if things behave better.  This multiple process start problem seems to be more acute on 2.1, but still does not affect everyone.  I am looking into the root cause, but so far have come up empty.  It happens to the majority of folks on reboots.

    Stop and start Snort from the command line using these commands:

    /usr/local/etc/rc.d/snort.sh stop
    /usr/local/etc/rc.d/snort.sh.start
    

    Bill


Log in to reply