This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM: After Update to 9.719 IPS not working and Snort not running

After update to version 9.719 IPS not working properly anymore. Every 10 minutes snort not running - restarted messages.



This thread was automatically locked due to age.
Parents Reply Children
  • Here is an excerpt from today 12:37. That's when it started.

    2024:03:06-11:51:24 utm snort[16131]: Decoding Raw IP4
    2024:03:06-11:54:02 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1049118 bytes (client queue). X.X.X.3 61457 --> X.X.X.53 445 (0) : LWstate 0x48 LWFlags 0x2107
    2024:03:06-12:14:35 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1048582 bytes (client queue). X.X.X.71 55893 --> X.X.X.210 445 (0) : LWstate 0x48 LWFlags 0x402107
    2024:03:06-12:16:31 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1055146 bytes (client queue). X.X.X.223 59675 --> X.X.X.53 445 (0) : LWstate 0x48 LWFlags 0x402107
    2024:03:06-12:19:02 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1051064 bytes (client queue). X.X.X.145 54560 --> X.X.X.205 80 (0) : LWstate 0x9 LWFlags 0x406007
    2024:03:06-12:26:23 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1049796 bytes (client queue). X.X.X.120 51767 --> X.X.X.11 80 (0) : LWstate 0x9 LWFlags 0x406007
    2024:03:06-12:33:42 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1056700 bytes (client queue). X.X.X.120 52045 --> X.X.X.11 80 (0) : LWstate 0x9 LWFlags 0x406007
    2024:03:06-12:33:45 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1053423 bytes (client queue). X.X.X.71 54072 --> X.X.X.11 80 (0) : LWstate 0x48 LWFlags 0x406107
    2024:03:06-12:37:13 utm snort[10982]: Enabling inline operation
    2024:03:06-12:37:13 utm snort[10982]: Running in IDS mode
    2024:03:06-12:37:13 utm snort[10982]: 
    2024:03:06-12:37:13 utm snort[10982]:         --== Initializing Snort ==--
    2024:03:06-12:37:13 utm snort[10982]: Initializing Output Plugins!
    2024:03:06-12:37:13 utm snort[10982]: Initializing Preprocessors!
    2024:03:06-12:37:13 utm snort[10982]: Initializing Plug-ins!
    2024:03:06-12:37:13 utm snort[10982]: Parsing Rules file "/etc/snort/snort.conf"
    2024:03:06-12:37:16 utm snort[10982]: PortVar 'HTTP_PORTS' defined : 
    

  • Hey  , you can follow the following KBA -  IPS configuration to prevent high CPU usage.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • I know all that. But that doesn't solve the problem after your last update. What have you changed so that it no longer works since yesterday's update?

  • Have we tried a normal reboot or postgres check ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Normal reboot several times. I do not know PostgreSQL-Check. I have always done a rebuild in the past. But maybe we shouldn't do that. What do you mean by PostgresSQL check?

  • just check the status: ps aux | grep postgres

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • utm:/root # ps aux | grep postgres
    postgres  2437  0.0  0.1 1112976 11588 ?       Ss   00:05   0:00 postgres: reporting reporting [local] idle            
    postgres  4117  0.0  0.5 1109492 47092 ?       S    Mar05   0:02 /usr/pgsql92/bin/postgres -D /var/storage/pgsql92/data
    postgres  4119  0.0  2.2 1110132 186208 ?      Ss   Mar05   0:08 postgres: checkpointer process                        
    postgres  4120  0.0  0.0 1110008 7488 ?        Ss   Mar05   0:00 postgres: writer process                              
    postgres  4121  0.0  0.2 1110008 17244 ?       Ss   Mar05   0:11 postgres: wal writer process                          
    postgres  4122  0.0  0.0 1110756 2188 ?        Ss   Mar05   0:01 postgres: autovacuum launcher process                 
    postgres  4123  0.0  0.0  10292   760 ?        Ss   Mar05   0:00 postgres: archiver process   last was 00000001000002A900000006
    postgres  4124  0.0  0.0  10564  1076 ?        Ss   Mar05   0:08 postgres: stats collector process                     
    postgres  5315  0.0  0.0 1112736 6336 ?        Ss   Mar05   0:01 postgres: hotspot hotspot 127.0.0.1(58637) idle       
    postgres  5800  0.0  0.0 1112512 5696 ?        Ss   Mar05   0:00 postgres: smtp smtp 127.0.0.1(58657) idle             
    postgres  5844  0.0  0.4 1112836 33872 ?       Ss   Mar05   0:03 postgres: smtp smtp 127.0.0.1(58659) idle             
    postgres  7339  0.0  0.0 1112596 5760 ?        Ss   15:15   0:00 postgres: smtp smtp 127.0.0.1(35231) idle             
    postgres  7341  0.0  0.0 1112620 5624 ?        Ss   15:15   0:00 postgres: smtp smtp 127.0.0.1(35233) idle             
    root      8578  0.0  0.0   5944   756 pts/0    S+   15:16   0:00 grep postgres
    postgres 18363  0.0  0.2 1113964 20856 ?       Ss   08:16   0:01 postgres: smtp smtp 127.0.0.1(48661) idle             
    postgres 24931  0.0  0.0 1112616 5656 ?        Ss   07:14   0:00 postgres: hotspot hotspot 127.0.0.1(46867) idle       
    postgres 27580  0.1  1.6 1113164 134872 ?      Ss   Mar05   1:52 postgres: reporting reporting [local] idle            
    postgres 30213  0.0  0.0 1112508 4284 ?        Ss   00:00   0:00 postgres: smtp smtp [local] idle                      
    postgres 30216  0.0  0.0 1112508 4284 ?        Ss   00:00   0:00 postgres: smtp smtp [local] idle                      
    postgres 30217  0.0  0.0 1112784 5904 ?        Ss   00:00   0:00 postgres: reporting reporting [local] idle            
    postgres 30218  0.0  0.0 1112508 3708 ?        Ss   00:00   0:00 postgres: reporting reporting [local] idle            
    postgres 30271  0.0  0.0 1112628 4908 ?        Ss   00:00   0:00 postgres: hotspot hotspot [local] idle                
    postgres 30332  0.0  0.0 1112628 4912 ?        Ss   00:00   0:00 postgres: hotspot hotspot [local] idle                
    postgres 31235  0.0  0.0 1112520 4108 ?        Ss   00:00   0:00 postgres: sandbox sandbox [local] idle                
    postgres 31237  0.0  0.0 1112572 4992 ?        Ss   00:00   0:00 postgres: sandbox sandbox [local] idle                
    

  • Looks perfectly normal...

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Same here, on SG210 and SG135. Every view hours snort not running - restarted, and with that most VPN connections are cutted for a moment. OpenVPN and IPsec.

    But on SG115 and SG105 no problems.

  •  It seems to be a general problem. When will there be a bugfix? It can't stay like this.