OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: yeraycito on July 10, 2019, 05:06:53 pm
-
1 - Services: Intrusion Detection: Administration - Advanced Mode:
Detect Profile: Custom
ToClient: 100
ToServer: 100
2 - Stop Suricata at Opnsense
Access by ssh (WinSCP for Windows: https://winscp.net/eng/download.php)
Open WinSCP:
Enter IP acces opnsense
Enter login/password opnsense
Search routes:
usr/local/etc/suricata/suricata.yaml
and
usr/local/opnsense/service/templates/opnsense/ids/suricata.yaml
Tuning Suricata ( IPS MODE ACTIVE ):
EDIT THE SAME PARAMETERS in the 2 files suricata.yaml
Search in suricata.yaml:
#max-pending-packets: 1024
# Defrag settings:
defrag:
memcap: 32mb
flow:
memcap: 128mb
Stream engine settings:
stream:
memcap: 32mb
reassembly:
memcap: 64mb
stream:
memcap: 64mb
reassembly:
memcap: 256mb
host:
memcap: 32mb
I repeat: the same parameters must be edited in the 2 suricata.yaml files mentioned at the beginning.
Save changes
Start Suricata
Adjustments tested in mini-pc:
Suricata active IPS Mode in WAN
Pattern matcher: Hyperscan
Promiscuous mode: Disabled
Rules: ET PRO TELEMETRY ( all rules active-drop )
Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores)
Memory: 8 GB
OPNSENSE 20.7.5
Memory consumption opnsense with modified settings suricata: 20%
Internet connection: 50 MB
Optional: Advanced security options
In Suricata.yaml:
# Enable defrag per host settings
# host-config:
#
# - dmz:
# timeout: 30
# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
#
# - lan:
# timeout: 45
# address:
# - 192.168.0.0/24
# - 192.168.10.0/24
# - 172.16.14.0/24
# - Put here the range of local ip addresses of your system (Example: 192.168.50.1/24)
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
Put here your local ips depending on the operating system. Examples:
Windows computer: windows: [0.0.0.0/0,192.168.50.16]
Nas ( Linux ): linux: [10.0.0.0/8, 192.168.50.18, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
VERY IMPORTANT: We have to make a copy of the 2 suricata.yaml files. This is because every time we update opnsense the configuration is lost. When we update opnsense we have to edit ( or copy the 2 suricata.yaml files edited and saved before and replace them with the suricata.yaml files that exist ) 2 suricata.yaml files again.
-
In this context 0.0.0.0/0 means any ip? But that matches also the Rfc1918 addresses from Linux.
Would this mean, you have to use different subnets per os and specify them in os-policy?
-
In this context 0.0.0.0/0 means any ip? But that matches also the Rfc1918 addresses from Linux.
0000/0 is by default in the original suricata.yaml. I have left it as it is adding the ip of my windows computer.
Would this mean, you have to use different subnets per os and specify them in os-policy?
Yes. suricata rules act in one way or another depending on the operating system ( official suricata documentation ).
Put here your local ip of your equipments in the corresponding boxes of operating systems.
Example:
windows: [0.0.0.0/0,192.168.50.16]
192.168.50.16 is the local ip of my windows computer.
linux: [10.0.0.0/8, 192.168.50.18]
192.168.50.18 is the local ip of my linux NAS
-
Important: We have to make a copy of the 2 files suricata.yaml because every time we update opnsense the settings are lost and you have to put them back. If suricata is updated you will have to set the settings manually again because surely the files suricata.yaml will be different.
-
Updated configuration parameters
-
Updated configuration.
-
The configuration parameters could be brought to the web ui
-
Suricata 6 - Opensense 21.7.3:
1 - Services: Intrusion Detection: Administration - Advanced Mode:
Detect Profile: High
2 - Stop Suricata at Opnsense
Access by ssh (WinSCP for Windows: https://winscp.net/eng/download.php)
Open WinSCP:
Enter IP acces opnsense
Enter login/password opnsense
Search routes:
usr/local/etc/suricata/suricata.yaml
and
usr/local/opnsense/service/templates/opnsense/ids/suricata.yaml
Tuning Suricata ( IPS MODE ACTIVE ):
EDIT THE SAME PARAMETERS in the 2 files suricata.yaml
Search in suricata.yaml:
max-pending-packets: 10000 ( remove # )
stream:
memcap: 64mb
reassembly:
memcap: 256mb
I repeat: the same parameters must be edited in the 2 suricata.yaml files mentioned at the beginning.
Save changes
Start Suricata
Adjustments tested in mini-pc:
Suricata active IPS Mode in WAN
Pattern matcher: Hyperscan
Promiscuous mode: Disabled
Rules: ET PRO TELEMETRY ( all rules active-drop )
Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores)
Memory: 8 GB
OPNSENSE 21.7.3
Memory consumption opnsense with modified settings suricata: 2 GB
Internet connection: 300 MB
Optional: Advanced security options
In Suricata.yaml:
# Enable defrag per host settings
# host-config:
#
# - dmz:
# timeout: 30
# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
#
# - lan:
# timeout: 45
# address:
# - 192.168.0.0/24
# - 192.168.10.0/24
# - 172.16.14.0/24
# - Put here the range of local ip addresses of your system (Example: 192.168.50.1/24)
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
Put here your local ips depending on the operating system. Examples:
Windows computer: windows: [0.0.0.0/0,192.168.50.16]
Nas ( Linux ): linux: [10.0.0.0/8, 192.168.50.18, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
VERY IMPORTANT: We have to make a copy of the 2 suricata.yaml files. This is because every time we update opnsense the configuration is lost. When we update opnsense we have to edit ( or copy the 2 suricata.yaml files edited and saved before and replace them with the suricata.yaml files that exist ) 2 suricata.yaml files again.
-
What is the difference in performance and/or other behavior before and after? Do you really need to tune Suricata on a 100Mbit connection?
-
I forgot to change the parameter. I have 300 MB. I have already changed it. The settings are still valid for 1 GB connections. And the performance is noticeable.
-
Thanks. I'm interested in tuning Suricata as it's already using a fair bit of CPU on 1Gb WAN, and as I will be getting 10Gb soon I foresee it becoming a bottleneck pretty quickly.
On initial setup and when I switched to Hyperscan I noticed a big difference. Anything else has been very marginal at best, so before starting to hack configuration files I'm interested in more quantifiable data on actual expected gains. Have you made any such comparisons...?
-
If you have looked at the last configuration settings I have posted, you will see that they are almost the original ones. Among the few that I have touched are max pending packets. I have activated this parameter and configured it according to the official Suricata information. It increases the performance in case there are many active connections. The rest of the parameters are related to a better performance of Suricata by specifying the local ips and their operating systems.