Sophos UTM: After Update to 9.719 IPS not working and Snort not running

Hey SZSZ ,

Thank you for reaching out to the community, during that can you check with atop if other services are too getting impacted ?
REF - A guide to recording UTM process usage using atop.

I can't see any abnormalities. Approx 30 minutes after reactivating IPS, the UTM "goes crazy" since the update.

After 30 mins have you seen any spike any of the services including snort ?

Yes, see the screenshot (PID 10982). CPU jumped from 2 to 6 percent. VG and RGROW jumped significantly in value.

Okay, and what about the disk utilization can you share cd /var > df -kh output...

Here is the output without active IPS.



Was that right, what you wanted to see?

can are you seeing any suspicious logs under the /var/log/ips.log ? during the time there is a spike or stopped working observed... 

Here is an excerpt from today 12:37. That's when it started.

2024:03:06-11:51:24 utm snort[16131]: Decoding Raw IP4
2024:03:06-11:54:02 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1049118 bytes (client queue). X.X.X.3 61457 --> X.X.X.53 445 (0) : LWstate 0x48 LWFlags 0x2107
2024:03:06-12:14:35 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1048582 bytes (client queue). X.X.X.71 55893 --> X.X.X.210 445 (0) : LWstate 0x48 LWFlags 0x402107
2024:03:06-12:16:31 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1055146 bytes (client queue). X.X.X.223 59675 --> X.X.X.53 445 (0) : LWstate 0x48 LWFlags 0x402107
2024:03:06-12:19:02 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1051064 bytes (client queue). X.X.X.145 54560 --> X.X.X.205 80 (0) : LWstate 0x9 LWFlags 0x406007
2024:03:06-12:26:23 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1049796 bytes (client queue). X.X.X.120 51767 --> X.X.X.11 80 (0) : LWstate 0x9 LWFlags 0x406007
2024:03:06-12:33:42 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1056700 bytes (client queue). X.X.X.120 52045 --> X.X.X.11 80 (0) : LWstate 0x9 LWFlags 0x406007
2024:03:06-12:33:45 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1053423 bytes (client queue). X.X.X.71 54072 --> X.X.X.11 80 (0) : LWstate 0x48 LWFlags 0x406107
2024:03:06-12:37:13 utm snort[10982]: Enabling inline operation
2024:03:06-12:37:13 utm snort[10982]: Running in IDS mode
2024:03:06-12:37:13 utm snort[10982]: 
2024:03:06-12:37:13 utm snort[10982]:         --== Initializing Snort ==--
2024:03:06-12:37:13 utm snort[10982]: Initializing Output Plugins!
2024:03:06-12:37:13 utm snort[10982]: Initializing Preprocessors!
2024:03:06-12:37:13 utm snort[10982]: Initializing Plug-ins!
2024:03:06-12:37:13 utm snort[10982]: Parsing Rules file "/etc/snort/snort.conf"
2024:03:06-12:37:16 utm snort[10982]: PortVar 'HTTP_PORTS' defined : 

Here is an excerpt from today 12:37. That's when it started.

2024:03:06-11:51:24 utm snort[16131]: Decoding Raw IP4
2024:03:06-11:54:02 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1049118 bytes (client queue). X.X.X.3 61457 --> X.X.X.53 445 (0) : LWstate 0x48 LWFlags 0x2107
2024:03:06-12:14:35 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1048582 bytes (client queue). X.X.X.71 55893 --> X.X.X.210 445 (0) : LWstate 0x48 LWFlags 0x402107
2024:03:06-12:16:31 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1055146 bytes (client queue). X.X.X.223 59675 --> X.X.X.53 445 (0) : LWstate 0x48 LWFlags 0x402107
2024:03:06-12:19:02 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1051064 bytes (client queue). X.X.X.145 54560 --> X.X.X.205 80 (0) : LWstate 0x9 LWFlags 0x406007
2024:03:06-12:26:23 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1049796 bytes (client queue). X.X.X.120 51767 --> X.X.X.11 80 (0) : LWstate 0x9 LWFlags 0x406007
2024:03:06-12:33:42 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1056700 bytes (client queue). X.X.X.120 52045 --> X.X.X.11 80 (0) : LWstate 0x9 LWFlags 0x406007
2024:03:06-12:33:45 utm snort[16131]: S5: Session exceeded configured max bytes to queue 1048576 using 1053423 bytes (client queue). X.X.X.71 54072 --> X.X.X.11 80 (0) : LWstate 0x48 LWFlags 0x406107
2024:03:06-12:37:13 utm snort[10982]: Enabling inline operation
2024:03:06-12:37:13 utm snort[10982]: Running in IDS mode
2024:03:06-12:37:13 utm snort[10982]: 
2024:03:06-12:37:13 utm snort[10982]:         --== Initializing Snort ==--
2024:03:06-12:37:13 utm snort[10982]: Initializing Output Plugins!
2024:03:06-12:37:13 utm snort[10982]: Initializing Preprocessors!
2024:03:06-12:37:13 utm snort[10982]: Initializing Plug-ins!
2024:03:06-12:37:13 utm snort[10982]: Parsing Rules file "/etc/snort/snort.conf"
2024:03:06-12:37:16 utm snort[10982]: PortVar 'HTTP_PORTS' defined : 

Hey SZSZ , you can follow the following KBA -  IPS configuration to prevent high CPU usage.

I know all that. But that doesn't solve the problem after your last update. What have you changed so that it no longer works since yesterday's update?

Have we tried a normal reboot or postgres check ?

Normal reboot several times. I do not know PostgreSQL-Check. I have always done a rebuild in the past. But maybe we shouldn't do that. What do you mean by PostgresSQL check?

just check the status: ps aux | grep postgres

utm:/root # ps aux | grep postgres
postgres  2437  0.0  0.1 1112976 11588 ?       Ss   00:05   0:00 postgres: reporting reporting [local] idle            
postgres  4117  0.0  0.5 1109492 47092 ?       S    Mar05   0:02 /usr/pgsql92/bin/postgres -D /var/storage/pgsql92/data
postgres  4119  0.0  2.2 1110132 186208 ?      Ss   Mar05   0:08 postgres: checkpointer process                        
postgres  4120  0.0  0.0 1110008 7488 ?        Ss   Mar05   0:00 postgres: writer process                              
postgres  4121  0.0  0.2 1110008 17244 ?       Ss   Mar05   0:11 postgres: wal writer process                          
postgres  4122  0.0  0.0 1110756 2188 ?        Ss   Mar05   0:01 postgres: autovacuum launcher process                 
postgres  4123  0.0  0.0  10292   760 ?        Ss   Mar05   0:00 postgres: archiver process   last was 00000001000002A900000006
postgres  4124  0.0  0.0  10564  1076 ?        Ss   Mar05   0:08 postgres: stats collector process                     
postgres  5315  0.0  0.0 1112736 6336 ?        Ss   Mar05   0:01 postgres: hotspot hotspot 127.0.0.1(58637) idle       
postgres  5800  0.0  0.0 1112512 5696 ?        Ss   Mar05   0:00 postgres: smtp smtp 127.0.0.1(58657) idle             
postgres  5844  0.0  0.4 1112836 33872 ?       Ss   Mar05   0:03 postgres: smtp smtp 127.0.0.1(58659) idle             
postgres  7339  0.0  0.0 1112596 5760 ?        Ss   15:15   0:00 postgres: smtp smtp 127.0.0.1(35231) idle             
postgres  7341  0.0  0.0 1112620 5624 ?        Ss   15:15   0:00 postgres: smtp smtp 127.0.0.1(35233) idle             
root      8578  0.0  0.0   5944   756 pts/0    S+   15:16   0:00 grep postgres
postgres 18363  0.0  0.2 1113964 20856 ?       Ss   08:16   0:01 postgres: smtp smtp 127.0.0.1(48661) idle             
postgres 24931  0.0  0.0 1112616 5656 ?        Ss   07:14   0:00 postgres: hotspot hotspot 127.0.0.1(46867) idle       
postgres 27580  0.1  1.6 1113164 134872 ?      Ss   Mar05   1:52 postgres: reporting reporting [local] idle            
postgres 30213  0.0  0.0 1112508 4284 ?        Ss   00:00   0:00 postgres: smtp smtp [local] idle                      
postgres 30216  0.0  0.0 1112508 4284 ?        Ss   00:00   0:00 postgres: smtp smtp [local] idle                      
postgres 30217  0.0  0.0 1112784 5904 ?        Ss   00:00   0:00 postgres: reporting reporting [local] idle            
postgres 30218  0.0  0.0 1112508 3708 ?        Ss   00:00   0:00 postgres: reporting reporting [local] idle            
postgres 30271  0.0  0.0 1112628 4908 ?        Ss   00:00   0:00 postgres: hotspot hotspot [local] idle                
postgres 30332  0.0  0.0 1112628 4912 ?        Ss   00:00   0:00 postgres: hotspot hotspot [local] idle                
postgres 31235  0.0  0.0 1112520 4108 ?        Ss   00:00   0:00 postgres: sandbox sandbox [local] idle                
postgres 31237  0.0  0.0 1112572 4992 ?        Ss   00:00   0:00 postgres: sandbox sandbox [local] idle                

Looks perfectly normal...

Same here, on SG210 and SG135. Every view hours snort not running - restarted, and with that most VPN connections are cutted for a moment. OpenVPN and IPsec.

But on SG115 and SG105 no problems.

Vivek Jagad It seems to be a general problem. When will there be a bugfix? It can't stay like this.

Hey SZSZ request you to please log a service request so that we can get it expedited with support.