Dear All,
Today we have updated one box ( physical box ) to OPNsense 18.7.7-amd64.
We were so Happy with the new IDS version.
however after enabling some of the app detection rules, the Inline Intrusion Prevention System keeps stoping from time to time and have to click on start to manually start it.
on the log File there is nothing there.
please see screenshots.
Thank you
Could be an issue with a ruleset.
Some rulesets do not "like" Hyperscan, so you may want to try Aho-Corasick as a pattered matcher.
Thank you for your answer Jos,
Does it matter in the speed using hyper or aho ?
i have changed it now to aho and let see if it keeps on
For patern matching hyperscan is faster, but all depends on the rules used.
More information can be found here (mind that the current version of Suricata is more performant that the tested version in this doc): https://www.intel.com/content/dam/www/public/us/en/documents/solution-briefs/hyperscan-scalability-solution-brief.pdf (https://www.intel.com/content/dam/www/public/us/en/documents/solution-briefs/hyperscan-scalability-solution-brief.pdf)
We have enabled multiple rules maybe that why it's way
When they say hyperscan is faster than hypo means faster on scanning the Paterent or internet is faster ?
IDS is remain active after we changed the hyper to hypo thank you Jos
As I understand to hyperscan is better to use the Emerging Threats rules set ?
I am not sure why hyperscan seems to crash with certain rules, should investigate that.. but lacking time.
With the ETOpen/Pro rules it seems to function fine...
Issues could be related to the type and amount of pcre rules, memory exhaustion could be a cause..
As for performance difference, hyperscan only makes sense on pattern matching rules.
Hi,
I had the same issue with hyperscan and it was due to a signature parsing issue in the ruleset /etc/suricata/opnsense.rules/abuse.ch.urlhaus.rules at line 519.
You can check in the log what is causing the issue.
I have disabled that rules (I was not using them anyway) and everything is working fine now.
:)
Quote from: jschellevis on November 16, 2018, 07:17:35 PM
I am not sure why hyperscan seems to crash with certain rules, should investigate that.. but lacking time.
With the ETOpen/Pro rules it seems to function fine...
Issues could be related to the type and amount of pcre rules, memory exhaustion could be a cause..
As for performance difference, hyperscan only makes sense on pattern matching rules.
Thank you for your answer Jos,
when you apply to ETOpen /Pro rules i beleive you do mean the payed rules ?
i cannot seem to find those rules at all.
the only ET Rules are
ET open/botcc
ET open/botcc.portgrouped
ET open/ciarmy
ET open/compromised
ET open/drop
ET open/dshield
ET open/emerging-activex
ET open/emerging-attack_response
ET open/emerging-chat 2018/11/15 23:18
ET open/emerging-current_events
ET open/emerging-deleted
ET open/emerging-dns
ET open/emerging-dos
ET open/emerging-exploit
ET open/emerging-ftp
ET open/emerging-games
ET open/emerging-icmp
ET open/emerging-icmp_info
ET open/emerging-imap
ET open/emerging-inappropriate
ET open/emerging-info
ET open/emerging-malware
ET open/emerging-misc
ET open/emerging-mobile_malware
ET open/emerging-netbios
ET open/emerging-p2p
ET open/emerging-policy
ET open/emerging-pop3
ET open/emerging-rpc
ET open/emerging-scada
ET open/emerging-scan
ET open/emerging-shellcode
ET open/emerging-smtp
ET open/emerging-snmp
ET open/emerging-sql
ET open/emerging-telnet
ET open/emerging-tftp
ET open/emerging-trojan
ET open/emerging-user_agents
ET open/emerging-voip
ET open/emerging-web_client
ET open/emerging-web_server
ET open/emerging-web_specific_apps
ET open/emerging-worm
are you referring to those rules ?
Yes that are the ET Open rules, these are free/community rules.
The ET PRO are the commercial rules.
Quote from: jschellevis on November 17, 2018, 01:27:32 AM
Yes that are the ET Open rules, these are free/community rules.
The ET PRO are the commercial rules.
Thank you Jos for your support.
i will go ahead and enable those rules and see how stuff is working.
PS : IPS is killing my speed but i am investigating why.