Hi,

We had the POP3/IMAP connection problem with ossec 2.4.2 or CentOS5 so we updated ossec to version 2.4.4 and the POP3/IMAP connection errors seem better now.

However, asl-shun.pl runs at 99-100% almost all the time and the number of asl-shun.pl processes keep increasing by the minute.

Is there something we need to change or is the server "under attack" ?
Where should we look to find the reason and resolve it?

Also, there are approximately 100 pages of legit IP's blocked due to the POP3/IMAP connection error, how do we clear all these block and black lists is one go so we start over?

When I try to run asl -s -f I get this message and it keeps happening:
Error: Another instance of ASL appears to be running, exiting...

5 S 0 27310 1 0 78 0 - 26534 - pts/0 00:00:00 psmon
0 S 0 27494 1 0 75 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27504 1 0 75 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27531 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27555 1 0 75 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27557 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27559 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27561 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27564 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27576 1 0 75 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27581 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27660 1 0 76 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27663 1 0 75 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
0 S 0 27668 1 0 75 0 - 27414 flock_ ? 00:00:00 asl-shun.pl
5 S 113 28219 1 0 75 0 - 11820 - ? 00:00:00 ossec-dbd
1 S 0 28225 1 0 81 0 - 1485 - ? 00:00:00 ossec-execd
5 S 112 28229 1 0 78 0 - 1837 - ? 00:00:00 ossec-analysisd
5 S 0 28234 1 0 75 0 - 1001 - ? 00:00:00 ossec-logcollec
5 S 0 28245 1 0 85 - - 1053 - ? 00:00:00 ossec-syscheckd
5 S 112 28249 1 0 78 0 - 1548 - ? 00:00:00 ossec-monitord

Can you see what rule is being triggered so often? I had a similar problem and it ended up being rule 3306 causing the problem. I was basically getting so many emails blocked by zen.spamhaus.org that asl-shun.pl was having a hard time even keeping up with them.



I followed Scott's suggestion and lowered the level from 6 (block) to 5 (warn only) and that helped tremendously for my situation. I imagine that you could do the same thing with the rule that's causing your problem.

Thanks spaceout,

I changed postfix.xml like suggested and it already seems that asl-shun.pl is not running at 100% cpu with the number of processes dropping steadily.