Over the past few days, I've noticed my ClearOS 6.6 gateway forcibly rebooting itself a couple of times a day. I was previously having some problems with the firewall entering a panic state, but now I'm suspecting that snort is causing an issue.
When I look in /var/log/messages, I see the following (or similar) log entries shortly before ClearOS completely reboots itself:
Oct 26 16:40:57 gateway snort[3366]: S5: Session exceeded configured max bytes to queue 1048576 using 1049202 bytes (client queue). xxx.xxx.xxx.xxx 53384 --> 69.16.xxx.xxx 80 (0) : LWstate 0x9 LWFlags 0x406007
Oct 26 10:50:08 gateway snort[3368]: S5: Session exceeded configured max bytes to queue 1048576 using 1049400 bytes (client queue). xxx.xxx.xxx.xxx 49185 --> 74.125.xxx.xxx 80 (0) : LWstate 0x9 LWFlags 0x6007
In /var/log/snortsam, I'm seeing various errors where snort is trying to unblock previously blocked IP addresses, but the command fails:
2015/10/26, 10:20:06, -, 1, iptables, Info: UnBlocking ip 81.218.125.109
2015/10/26, 10:20:06, -, 1, iptables, Error: Command2 /sbin/iptables -D INPUT -i eth0 -d 81.218.125.109 -j DROP Failed
Running Intrusion Prevention module version 1.5.0-1
ClearOS Professional 6.6.0
Kernel version 2.6.32-504.23.4.v6.x86_64
When I look in /var/log/messages, I see the following (or similar) log entries shortly before ClearOS completely reboots itself:
Oct 26 16:40:57 gateway snort[3366]: S5: Session exceeded configured max bytes to queue 1048576 using 1049202 bytes (client queue). xxx.xxx.xxx.xxx 53384 --> 69.16.xxx.xxx 80 (0) : LWstate 0x9 LWFlags 0x406007
Oct 26 10:50:08 gateway snort[3368]: S5: Session exceeded configured max bytes to queue 1048576 using 1049400 bytes (client queue). xxx.xxx.xxx.xxx 49185 --> 74.125.xxx.xxx 80 (0) : LWstate 0x9 LWFlags 0x6007
In /var/log/snortsam, I'm seeing various errors where snort is trying to unblock previously blocked IP addresses, but the command fails:
2015/10/26, 10:20:06, -, 1, iptables, Info: UnBlocking ip 81.218.125.109
2015/10/26, 10:20:06, -, 1, iptables, Error: Command2 /sbin/iptables -D INPUT -i eth0 -d 81.218.125.109 -j DROP Failed
Running Intrusion Prevention module version 1.5.0-1
ClearOS Professional 6.6.0
Kernel version 2.6.32-504.23.4.v6.x86_64
Share this post:
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »