After update to version 9.719 IPS not working properly anymore. Every 10 minutes snort not running - restarted messages.
After update to version 9.719 IPS not working properly anymore. Every 10 minutes snort not running - restarted messages.
Hey SZSZ ,
Thank you for reaching out to the community, during that can you check with atop if other services are too getting impacted ?
REF - A guide to recording UTM process usage using atop.
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Log a Support Case | Sophos Service Guide
Best Practices – Support Case
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
I can't see any abnormalities. Approx 30 minutes after reactivating IPS, the UTM "goes crazy" since the update.
After 30 mins have you seen any spike any of the services including snort ?
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Log a Support Case | Sophos Service Guide
Best Practices – Support Case
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Yes, see the screenshot (PID 10982). CPU jumped from 2 to 6 percent. VG and RGROW jumped significantly in value.
Okay, and what about the disk utilization can you share cd /var > df -kh output...
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Log a Support Case | Sophos Service Guide
Best Practices – Support Case
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Here is the output without active IPS.
Was that right, what you wanted to see?
can are you seeing any suspicious logs under the /var/log/ips.log ? during the time there is a spike or stopped working observed...
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Log a Support Case | Sophos Service Guide
Best Practices – Support Case
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Here is an excerpt from today 12:37. That's when it started.
2024:03:06-11:51:24 utm snort[16131]: Decoding Raw IP4 2024:03:06-11:54:02 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1049118 bytes (client queue). X.X.X.3 61457 --> X.X.X.53 445 (0) : LWstate 0x48 LWFlags 0x2107 2024:03:06-12:14:35 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1048582 bytes (client queue). X.X.X.71 55893 --> X.X.X.210 445 (0) : LWstate 0x48 LWFlags 0x402107 2024:03:06-12:16:31 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1055146 bytes (client queue). X.X.X.223 59675 --> X.X.X.53 445 (0) : LWstate 0x48 LWFlags 0x402107 2024:03:06-12:19:02 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1051064 bytes (client queue). X.X.X.145 54560 --> X.X.X.205 80 (0) : LWstate 0x9 LWFlags 0x406007 2024:03:06-12:26:23 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1049796 bytes (client queue). X.X.X.120 51767 --> X.X.X.11 80 (0) : LWstate 0x9 LWFlags 0x406007 2024:03:06-12:33:42 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1056700 bytes (client queue). X.X.X.120 52045 --> X.X.X.11 80 (0) : LWstate 0x9 LWFlags 0x406007 2024:03:06-12:33:45 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1053423 bytes (client queue). X.X.X.71 54072 --> X.X.X.11 80 (0) : LWstate 0x48 LWFlags 0x406107 2024:03:06-12:37:13 utm snort[10982]: Enabling inline operation 2024:03:06-12:37:13 utm snort[10982]: Running in IDS mode 2024:03:06-12:37:13 utm snort[10982]: 2024:03:06-12:37:13 utm snort[10982]: --== Initializing Snort ==-- 2024:03:06-12:37:13 utm snort[10982]: Initializing Output Plugins! 2024:03:06-12:37:13 utm snort[10982]: Initializing Preprocessors! 2024:03:06-12:37:13 utm snort[10982]: Initializing Plug-ins! 2024:03:06-12:37:13 utm snort[10982]: Parsing Rules file "/etc/snort/snort.conf" 2024:03:06-12:37:16 utm snort[10982]: PortVar 'HTTP_PORTS' defined :
Hey SZSZ , you can follow the following KBA - IPS configuration to prevent high CPU usage.
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Log a Support Case | Sophos Service Guide
Best Practices – Support Case
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
I know all that. But that doesn't solve the problem after your last update. What have you changed so that it no longer works since yesterday's update?