EFW Support
Welcome,
Guest
. Please
login
or
register
.
Did you miss your
activation email?
Saturday 23 November 2024, 05:29:46 am
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
Visit the Official Endian Reference Manual
HERE
14258
Posts in
4377
Topics by
6517
Members
Latest Member:
Sandro
Search:
Advanced search
EFW Support
Support
General Support
Snort High CPU Usage and Blank Intrusion Detection Screen
0 Members and 0 Guests are viewing this topic.
« previous
next »
Pages:
[
1
]
Author
Topic: Snort High CPU Usage and Blank Intrusion Detection Screen (Read 27296 times)
gdPAC
Full Member
Offline
Gender:
Posts: 12
Snort High CPU Usage and Blank Intrusion Detection Screen
«
on:
Saturday 24 October 2009, 07:19:38 am »
This week, we began experiencing VOIP quality issues. Investigation revealed the snort process on our Endian 2.2 firewall is using 67-99% CPU. I manually updated snort rules earlier this week and the problem surfaced after that. I am unable to view the Intrusion Detection settings in the Endian GUI because the screen comes up blank. If I kill the snort process in an SSH session, all traffic stops until the firewall is restarted. Does anyone have a suggestion for fixing this before I do a fresh reinstall over the weekend?
Thanks.
Glen
Logged
mrkroket
Hero Member
Offline
Posts: 495
Re: Snort High CPU Usage and Blank Intrusion Detection Screen
«
Reply #1 on:
Saturday 24 October 2009, 07:47:46 am »
Maybe its related to:
http://efwsupport.com/index.php?topic=947.0
From console try to restart snort with debug log:
restartsnort.py -d -f
check that there isnt any error. You should see something like:
......
......
.......
2009-10-23 15:43:49,311 - restartsnort.py/enabled_rule_targets[20065] - DEBUG - Stop snort
snort (pid 19990) is running...
Stopping snort: [
OK
]
snort is stopped
2009-10-23 15:43:49,576 - restartsnort.py/enabled_rule_targets[20065] - DEBUG - Start snort
2009-10-23 15:43:49,582 - restartsnort.py/enabled_rule_targets[20065] - INFO - Starting SNORT...
Starting snort: [
OK
]
If snort says failed, there was a problem with some updated rule.
To see what program eats up the CPU % use console command
top
Logged
gdPAC
Full Member
Offline
Gender:
Posts: 12
Re: Snort High CPU Usage and Blank Intrusion Detection Screen
«
Reply #2 on:
Saturday 24 October 2009, 08:11:02 am »
Snort restarted without errors. I've been monitoring with TOP most of the day. Snort has been using >67% CPU most of the time and seems to be linked to the quantity of VOIP traffic.
top - 17:06:27 up 1:50, 1 user, load average: 0.35, 0.66, 0.59
Tasks: 64 total, 3 running, 61 sleeping, 0 stopped, 0 zombie
Cpu(s): 25.0%us, 1.0%sy, 0.0%ni, 70.7%id, 0.0%wa, 0.7%hi, 2.7%si, 0.0%st
Mem: 449780k total, 338476k used, 111304k free, 37088k buffers
Swap: 907664k total, 0k used, 907664k free, 84616k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
10760 root 15 0 82804 59m 1336 R 27.9 13.6 0:57.87 snort
3891 openvpn 15 0 4332 2480 1292 S 0.3 0.6 2:46.19 openvpn
11005 root 15 0 1976 1004 788 R 0.3 0.2 0:00.10 top
1 root 15 0 1504 552 468 S 0.0 0.1 0:00.44 init
The Services > Intrusion Detection configuration screen is still blank after restarting snort.
Thanks!
Glen
Logged
mrkroket
Hero Member
Offline
Posts: 495
Re: Snort High CPU Usage and Blank Intrusion Detection Screen
«
Reply #3 on:
Saturday 24 October 2009, 08:39:28 am »
Did you try to disable the VOIP.rules on snort?
https://EFW:10443/manage/ips/rules/
If you can't enter GUI, use console to rename the voip rules so snort doesn't use them:
cd /etc/snort/rules/auto
mv emerging-voip.rules emerging-voip.rules.out
restartsnort.py -d -f
If that doesn't help, the problem shouldn't be on voip rules.
You can try to stop the snort daemon and run it in debug mode (showing errors on console). I never did that so I can't help. try to kill snort and run it by using the command
snort
Logged
gdPAC
Full Member
Offline
Gender:
Posts: 12
Re: Snort High CPU Usage and Blank Intrusion Detection Screen
«
Reply #4 on:
Sunday 25 October 2009, 01:20:16 am »
The URL /manage/ips/rules/ doesn't work on my EFW. 404. Should that work in v2.2?
I renamed the VOIP rules and restarted snort. No change. I stopped the process with killall and tried to restart with "snort" but it wanted parameters. restartsnort.py -d -f worked, though.
I tested throughput at speedtest.net and monitored running EFW processes with TOP. Snort consumed 99%+ CPU during the speedtest transfers. So it looks like a general thoughput issue, not just VOIP traffic.
At this point, I am going to try to reset to factory default, then restore config from a backup. If that doesn't work, then a fresh reinstall and reconfig. Any other suggestions before I get started?
Thanks for the help.
Glen
Logged
gdPAC
Full Member
Offline
Gender:
Posts: 12
Re: Snort High CPU Usage and Blank Intrusion Detection Screen
«
Reply #5 on:
Sunday 25 October 2009, 03:09:30 am »
Resetting to defaults and restoring from backup had no effect on snort's CPU-hogging ways. While researching, I noticed 2.3 is due out the 27th. So I renamed all the snort auto rules to *.rules.out and restarted snort. It is now much more CPU-kind and red throughput is back to normal. Phone voice quality sounds good, but I'm the only one using the phone right now. It'll be Monday before it is back under full load. The Intrusion Dectection setup page is still blank, so I'm unable to use the GUI to configure snort. I'll just wait to upgrade to 2.3 next week and hope that fixes the problem.
Thanks again for the help.
Glen
Logged
mrkroket
Hero Member
Offline
Posts: 495
Re: Snort High CPU Usage and Blank Intrusion Detection Screen
«
Reply #6 on:
Sunday 25 October 2009, 04:03:17 am »
Yes, the manage/ip URL is on EFW 2.3 only. It now has much better control on IDS.
You can change IDS setting (or any part of the GUI) via console commands, its not hard.
go to /var/efw
you'll see lots of dirs with settings files. Edit the files and restart the as.sociated script
I.e. for snort:
nano /var/efw/snort/settings
Edit the file options. 0 (or off) disable the selected option.
When you are done, Ctrl+O to save and Ctrl+X to quit
Restart the snort process:
restartsnort.py -d -f
If you are going to upgrade to 2.3, be warned. It's still a Release Candidate, with much better options but some little issues (nothing big).
Still, there are some issues also on IDS for EFW 2.3. There is a post in the forum related to the error (an incorrect rule that appears if you update snort rules).
Logged
gdPAC
Full Member
Offline
Gender:
Posts: 12
Re: Snort High CPU Usage and Blank Intrusion Detection Screen
«
Reply #7 on:
Tuesday 27 October 2009, 12:47:37 am »
So the announcement on the home page of Endian.com "2.3 Available from Oct. 27, 2009" isn't a stable release announcement?
My "solution" wasn't one. When enough people used the phone, the jitter and dropouts returned. Your suggestion to edit the settings file to disable Snort seems to have done the trick. CPU usage is down and throughput is up. But the Services > Intrusion Detection screen is still blank and will not allow me to configure Snort. Something is broken and I have no idea how to fix it.
Thank you.
Glen
Logged
mrkroket
Hero Member
Offline
Posts: 495
Re: Snort High CPU Usage and Blank Intrusion Detection Screen
«
Reply #8 on:
Tuesday 27 October 2009, 01:45:04 am »
Quote from: gdPAC on Tuesday 27 October 2009, 12:47:37 am
So the announcement on the home page of Endian.com "2.3 Available from Oct. 27, 2009" isn't a stable release announcement?
I was refering to 2.3 Release Candidate (
=1&cHash=23cfe22e7c]http://www.endian.com/es/compania/news/article/endian-firewall-community-23-release-candidate/?tx_ttnews[backPid]=1&cHash=23cfe22e7c
), out from 17 Sep 09. If you use a lot of VOIP you'll need good QoS queues. 2.3 have an improved QoS. Do you maths and reserve enough bandwidth for your VOIP calls to reduce jitter and ensure voice quality.
Logged
gdPAC
Full Member
Offline
Gender:
Posts: 12
Re: Snort High CPU Usage and Blank Intrusion Detection Screen
«
Reply #9 on:
Tuesday 27 October 2009, 05:19:13 am »
Network QOS is configured and with Endian Traffic Shaping, VOIP was working flawlessly for months, even under high bandwidth usage. Only when Snort started taking 67%+ CPU did we experience these problems. Something is wrong with IDS in my current configuration and Snort is killing red interface throughput. I am not aware of a way to reinstall just Snort in EFW 2.2. If EFW 2.3 stable is being released this week, I'll cross my fingers and upgrade, hoping the problem will be resolved. If not, I'll do a full reinstall.
Thank you.
Glen
Logged
Pages:
[
1
]
« previous
next »
Jump to:
Please select a destination:
-----------------------------
Announcements
-----------------------------
=> Project News
=> Latest News and Updates
-----------------------------
Support
-----------------------------
=> General Support
=> Installation Support
=> EFW SMTP, HTTP, SIP, FTP Proxy Support
=> VPN Support
=> Hardware Support
-----------------------------
Development
-----------------------------
=> EFW Wishlist
=> Contribute Your Customisations & Modifications
Page created in 0.094 seconds with 19 queries.
Powered by SMF 1.1 RC2
|
SMF © 2001-2005, Lewis Media
Design by
7dana.com