Bug #200
closed100% CPU on PHP with Snort
0%
Description
The problem seems to be with snort and the option(s):
- Convert Snort alerts urls to clickable links
- Associate events on Blocked tab
If either or both are enabled and you enter the "Blocked" page, the
page starts to load and seemingly stops loading. If you fire up top on
a console, you see that PHP consumes 100% CPU.
Switching off the above options and then going back into the "Blocked" page, and everything is
back to normal.
Updated by robert zelaya over 14 years ago
I have reproced this error by loading a large amout of ips into the snort2c table.
Example loading 200,000 ips to the snort2c table.
Fix.
change this
$ips = `/sbin/pfctl -t snort2c -T show`;
$ips_array = split("\n", $ips);
to
exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
sleep(1);
$ips = file('/tmp/snort_block.cache');
$ips_array = split("\n", $ips);
Then I am able to load 200,000 ips.
I'll add the code when I have time.
Robert.
Updated by robert zelaya over 14 years ago
robert zelaya wrote:
I have reproced this error by loading a large amout of ips into the snort2c table.
Example loading 200,000 ips to the snort2c table.
Fix.
change this
$ips = `/sbin/pfctl -t snort2c -T show`;
$ips_array = split("
", $ips);
to
exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
sleep(1);
$ips = file('/tmp/snort_block.cache');
$ips_array = split("
", $ips);
Then I am able to load 200,000 ips.
I'll add the code when I have time.
Robert.
Use this instead....
exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
sleep(1);
$ips_array = file('/tmp/snort_block.cache');
Updated by robert zelaya almost 14 years ago
Can someone close this bug report.
Robert
Updated by Chris Buechler almost 14 years ago
- Status changed from New to Resolved