asl-shun.pl running at 100% with number increasing

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
Post Reply
zwankie
Forum User
Forum User
Posts: 5
Joined: Fri Apr 09, 2010 12:45 pm

asl-shun.pl running at 100% with number increasing

Unread post by zwankie »

Hi,

We had the POP3/IMAP connection problem with ossec 2.4.2 or CentOS5 so we updated ossec to version 2.4.4 and the POP3/IMAP connection errors seem better now.

However, asl-shun.pl runs at 99-100% almost all the time and the number of asl-shun.pl processes keep increasing by the minute.

Is there something we need to change or is the server "under attack" ?
Where should we look to find the reason and resolve it?

Also, there are approximately 100 pages of legit IP's blocked due to the POP3/IMAP connection error, how do we clear all these block and black lists is one go so we start over?

When I try to run asl -s -f I get this message and it keeps happening:
Error: Another instance of ASL appears to be running, exiting...

5 S 0 27310 1 0 78 0 - 26534 - pts/0 00:00:00 psmon
0 S 0 27494 1 0 75 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27504 1 0 75 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27531 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27555 1 0 75 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27557 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27559 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27561 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27564 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27576 1 0 75 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27581 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27660 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27663 1 0 75 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27668 1 0 75 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
5 S 113 28219 1 0 75 0 - 11820 - ? 00:00:00 ossec-dbd
1 S 0 28225 1 0 81 0 - 1485 - ? 00:00:00 ossec-execd
5 S 112 28229 1 0 78 0 - 1837 - ? 00:00:00 ossec-analysisd
5 S 0 28234 1 0 75 0 - 1001 - ? 00:00:00 ossec-logcollec
5 S 0 28245 1 0 85 - - 1053 - ? 00:00:00 ossec-syscheckd
5 S 112 28249 1 0 78 0 - 1548 - ? 00:00:00 ossec-monitord
Top
spaceout
Forum Regular
Forum Regular
Posts: 112
Joined: Wed Mar 19, 2008 10:22 pm

Re: asl-shun.pl running at 100% with number increasing

Unread post by spaceout »

Can you see what rule is being triggered so often? I had a similar problem and it ended up being rule 3306 causing the problem. I was basically getting so many emails blocked by zen.spamhaus.org that asl-shun.pl was having a hard time even keeping up with them.

Code: Select all

  
<rule id="3306" level="6">
    <if_sid>3301, 3302</if_sid>
    <match> blocked using </match>
    <description>IP Address black-listed by anti-spam (blocked).</description>
    <group>spam,</group>
</rule>
I followed Scott's suggestion and lowered the level from 6 (block) to 5 (warn only) and that helped tremendously for my situation. I imagine that you could do the same thing with the rule that's causing your problem.
Top
zwankie
Forum User
Forum User
Posts: 5
Joined: Fri Apr 09, 2010 12:45 pm

Re: asl-shun.pl running at 100% with number increasing

Unread post by zwankie »

Thanks spaceout,

I changed postfix.xml like suggested and it already seems that asl-shun.pl is not running at 100% cpu with the number of processes dropping steadily.
Top
Post Reply

Return to “General Help and Development Discussion”