OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: yeraycito on July 10, 2019, 05:06:53 pm

Title: HOWTO - Advanced Settings Suricata
Post by: yeraycito on July 10, 2019, 05:06:53 pm
First Stop Suricata at Opnsense

Access by ssh (WinSCP for Windows: https://winscp.net/eng/download.php)

Open WinSCP:
Enter IP acces opnsense
Enter login/password opnsense

Search routes:

usr/local/etc/suricata/suricata.yaml
and
usr/local/opnsense/service/templates/opnsense/ids/suricata.yaml

Tuning Suricata ( IPS MODE ACTIVE ):
Edit the same parameters in the 2 files suricata.yaml
Search in suricata.yaml:

#max-pending-packets: 5000

detect-engine:
  - profile: custom
  - custom-values:
      toclient-groups: 200
      toserver-groups: 200
  - sgh-mpm-context: auto
  - inspection-recursion-limit: 3000

# Defrag settings:

defrag:
  memcap: 128mb

flow:
  memcap: 1gb
  hash-size: 1048576
  prealloc: 1048576
  emergency-recovery: 30

# stream:
#   memcap: 2gb 
#   prealloc-sessions: 30000

#   reassembly:
#     memcap: 4gb             
#     depth: 4mb
#     chunk-prealloc: 5000     
#     segments:                   
#       - size: 4                     
#         prealloc: 1024         

(repeat settings below with some changes):

stream:
  memcap: 2gb
 reassembly:
    memcap: 4gb
    depth: 4mb 
 #chunk-prealloc: 5000
    #segments:
    #  - size: 4
    #    prealloc: 1024
    #  - size: 16
    #    prealloc: 2048
    #  - size: 112
    #    prealloc: 2048
    #  - size: 248
    #    prealloc: 2048
    #  - size: 512
    #    prealloc: 2048
    #  - size: 768
    #    prealloc: 4096
    #  - size: 1448
    #    prealloc: 4096
    #  - size: 65535
    #    prealloc: 512

Save changes
Start Suricata
Restart Opnsense

Adjustments tested in mini-pc:
Suricata active IPS Mode in LAN,WAN
Pattern matcher: Hyperscan
Promiscuous mode: disabled
Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores)
Memory: 8 GB
Memory consumption opnsense with modified settings suricata: 20%
Internet connection: 50 MB

Optional: Advanced security options
In Suricata.yaml:

# Enable defrag per host settings
#  host-config:
#
#    - dmz:
#        timeout: 30
#        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
#
#    - lan:
#        timeout: 45
#        address:
#          - 192.168.0.0/24
#          - 192.168.10.0/24
#          - 172.16.14.0/24
#          - Put here the range of local ip addresses of your system (Example: 192.168.50.1/24)

host-os-policy:
  # Make the default policy windows.
  windows: [0.0.0.0/0]
  bsd: []
  bsd-right: []
  old-linux: []
  linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
  old-solaris: []
  solaris: ["::1"]
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []

Put here your local ips depending on the operating system. Examples:
Windows computer: windows: [0.0.0.0/0,192.168.50.16]
Nas ( Linux ):  linux: [10.0.0.0/8, 192.168.50.18, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]










Title: Re: HOWTO - Advanced Settings Suricata
Post by: hbc on July 10, 2019, 10:23:30 pm
In this context 0.0.0.0/0 means any ip? But that matches also the Rfc1918 addresses from Linux.
Would this mean, you have to use different subnets per os and specify them in os-policy?
Title: Re: HOWTO - Advanced Settings Suricata
Post by: yeraycito on July 11, 2019, 10:19:45 am
In this context 0.0.0.0/0 means any ip? But that matches also the Rfc1918 addresses from Linux.

0000/0 is by default in the original suricata.yaml. I have left it as it is adding the ip of my windows computer.

Would this mean, you have to use different subnets per os and specify them in os-policy?

Yes. suricata rules act in one way or another depending on the operating system ( official suricata documentation ).
Put here your local ip of your equipments in the corresponding boxes of operating systems.

Example:

windows: [0.0.0.0/0,192.168.50.16]

192.168.50.16 is the local ip of my windows computer.

linux: [10.0.0.0/8, 192.168.50.18]

192.168.50.18 is the local ip of my linux NAS
Title: Re: HOWTO - Advanced Settings Suricata
Post by: yeraycito on August 14, 2019, 03:01:21 pm
Important: We have to make a copy of the 2 files suricata.yaml because every time we update opnsense the settings are lost and you have to put them back. If suricata is updated you will have to set the settings manually again because surely the files suricata.yaml will be different.