Bug #200
closed
100% CPU on PHP with Snort
Added by Chris Buechler over 14 years ago.
Updated almost 14 years ago.
Description
The problem seems to be with snort and the option(s):
- Convert Snort alerts urls to clickable links
- Associate events on Blocked tab
If either or both are enabled and you enter the "Blocked" page, the
page starts to load and seemingly stops loading. If you fire up top on
a console, you see that PHP consumes 100% CPU.
Switching off the above options and then going back into the "Blocked" page, and everything is
back to normal.
I have reproced this error by loading a large amout of ips into the snort2c table.
Example loading 200,000 ips to the snort2c table.
Fix.
change this
$ips = `/sbin/pfctl -t snort2c -T show`;
$ips_array = split("\n", $ips);
to
exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
sleep(1);
$ips = file('/tmp/snort_block.cache');
$ips_array = split("\n", $ips);
Then I am able to load 200,000 ips.
I'll add the code when I have time.
Robert.
robert zelaya wrote:
I have reproced this error by loading a large amout of ips into the snort2c table.
Example loading 200,000 ips to the snort2c table.
Fix.
change this
$ips = `/sbin/pfctl -t snort2c -T show`;
$ips_array = split("
", $ips);
to
exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
sleep(1);
$ips = file('/tmp/snort_block.cache');
$ips_array = split("
", $ips);
Then I am able to load 200,000 ips.
I'll add the code when I have time.
Robert.
Use this instead....
exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
sleep(1);
$ips_array = file('/tmp/snort_block.cache');
Can someone close this bug report.
Robert
- Status changed from New to Resolved
Also available in: Atom
PDF