Good morning. Let me edit this post with some additional detail and some questions.
I have Suricata set up to monitor the WAN and my VLANs only. However, trying to download a large file (e.g. Apex Legends) causes the memory usage of Suricata to jump up to 75%. However, it appears to be where a file is downloaded within the game launcher itself where Suricata jumps to 75%; not downloading from the EA site directly.
I noticed in the Activity monitor (System > Diagnostics > Activity) that Suricata was referencing the WAN in the command line; which makes sense because I'm only monitoring the WAN and my VLAN.
Settings:
IPS Mode: Checked
Promiscuous Mode: Checked
Pattern Matcher: Hyperscan
Interfaces: WAN; VLAN50
Download Rules: Some of the ET rules (botcc, compromised, drop, attack-response, exploit, malware, trojan, worm).
Just wondering: Is it possible to whitelist a site for Suricata to ignore? If I need to use an IP address, I'm assuming I could find the IP of the affected url and add that to a user defined pass list. Any guidance would be appreciated.
This is what I'm referring to...trying to download something in the Steam store makes Suricata use a lot of CPU on the WAN side:
86290 root 90 0 1936M 220M CPU0 0 2:23 59.67% /usr/local/bin/suricata -D --netmap --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml{W#01-msk0_vlan2}
Downloading Steam directly from their website didn't have Suricata use so much CPU.
Isn't it supposed to run internally and not on the WAN port?
I never get hits when it's activated on WAN, but from traffic on my LAN...