Process defunct firewall-drop.sh and host-deny.sh
143 views
Skip to first unread message
Giorgio Biondi
Jan 22, 2016, 5:57:46 AM1/22/16
to ossec-list
Hi,
I have some linuxbox with ossec installed and work fine.
One of this have always some (or much more) process in status 'Z' zombie
See this:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 25003 0.2 0.1 108212 1952 pts/0 S+ 11:53 0:00 watch ps aux | grep Z
root 25416 0.0 0.0 0 0 ? Z 11:55 0:00 [host-deny.sh] <defunct>
root 25417 0.0 0.0 0 0 ? Z 11:55 0:00 [firewall-drop.s] <defunct>
root 25418 0.0 0.0 0 0 ? Z 11:55 0:00 [host-deny.sh] <defunct>
root 25419 0.0 0.0 0 0 ? Z 11:55 0:00 [firewall-drop.s] <defunct>
root 25482 0.0 0.0 106060 1248 pts/0 S+ 11:55 0:00 sh -c ps aux | grep Z
root 25484 0.0 0.0 103256 860 pts/0 S+ 11:55 0:00 grep Z
This process regarding ossec system.. apart this ossec system work fine.. or seems fine..
If stop service ossec I have a very huge load but this is a 'known behaviur'.
All the best.
Giorgio Biondi.
I have some linuxbox with ossec installed and work fine.
One of this have always some (or much more) process in status 'Z' zombie
See this:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 25003 0.2 0.1 108212 1952 pts/0 S+ 11:53 0:00 watch ps aux | grep Z
root 25416 0.0 0.0 0 0 ? Z 11:55 0:00 [host-deny.sh] <defunct>
root 25417 0.0 0.0 0 0 ? Z 11:55 0:00 [firewall-drop.s] <defunct>
root 25418 0.0 0.0 0 0 ? Z 11:55 0:00 [host-deny.sh] <defunct>
root 25419 0.0 0.0 0 0 ? Z 11:55 0:00 [firewall-drop.s] <defunct>
root 25482 0.0 0.0 106060 1248 pts/0 S+ 11:55 0:00 sh -c ps aux | grep Z
root 25484 0.0 0.0 103256 860 pts/0 S+ 11:55 0:00 grep Z
This process regarding ossec system.. apart this ossec system work fine.. or seems fine..
If stop service ossec I have a very huge load but this is a 'known behaviur'.
All the best.
Giorgio Biondi.
Giorgio Biondi
Feb 5, 2016, 3:17:48 AM2/5/16
to ossec-list
Hi at all
nobody have this behavior ?
Good weekend
Pedro S
Feb 8, 2016, 5:36:17 AM2/8/16
to ossec-list
Hi,
Are you using active response? Those file are regarding to OSSEC active-response, if you are not using it you can disable it editing ossec.conf file:
<active-response>
<disabled>yes</disabled>
</active-response>
Best regards,
Pedro S.
Giorgio Biondi
Feb 8, 2016, 5:40:11 AM2/8/16
to ossec...@googlegroups.com
Hi Pedro,
of course using active response.. the solution can't be 'not using this feature'..
:-)
--
---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/DNaZYCCrapk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Pedro S
Feb 8, 2016, 6:33:11 AM2/8/16
to ossec-list
OFC it is not a solution, I thought you were not sure what active-response is and you were complaining about those scripts.
Regarding to your problem, I am not sure why this processes remain in Zombie status, i think by default both script should execute, block the IP and after 600 seconds execute again and unblock the IP.
Check /var/ossec/logs/active-respones.log maybe we can find something usefull there.
Pedro S
Feb 8, 2016, 7:03:26 AM2/8/16
to ossec-list
I can tell, host-deny.sh and firewall-drop.sh remain running about 30 secs before stop, alerts bigger than 6 with an srcip will trigger active-response, if your installation is generating a bunch of this alerts that's why maybe you have a bunch of process regarding to this scripts.
Antonio Querubin
Feb 8, 2016, 1:30:36 PM2/8/16
to ossec-list
Antonio Querubin
e-mail: to...@lavanauts.org
xmpp: antonio...@gmail.com
Reply all
Reply to author
Forward
0 new messages