OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: yeraycito on July 10, 2019, 05:06:53 pm

Title: HOWTO - Advanced Settings Suricata
Post by: yeraycito on July 10, 2019, 05:06:53 pm
First Stop Suricata at Opnsense

Access by ssh (WinSCP for Windows: https://winscp.net/eng/download.php)

Open WinSCP:
Enter IP acces opnsense
Enter login/password opnsense

Search routes:

usr/local/etc/suricata/suricata.yaml
and
usr/local/opnsense/service/templates/opnsense/ids/suricata.yaml

Tuning Suricata ( IPS MODE ACTIVE ):
EDIT THE SAME PARAMETERS in the 2 files suricata.yaml
Search in suricata.yaml:

#max-pending-packets: 10000

detect-engine:
  - profile: custom
  - custom-values:
      toclient-groups: 200
      toserver-groups: 200
  - sgh-mpm-context: auto
  - inspection-recursion-limit: 3000

# Defrag settings:

defrag:
  memcap: 1gb

flow:
  memcap: 1gb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30

# stream:
#   memcap: 1gb 
#   prealloc-sessions: 2k        # 2k sessions prealloc'd per stream

#   reassembly:
#     memcap: 2gb             
#     depth: 2mb
#     chunk-prealloc: 5000     
#     segments:                   
#       - size: 4                     
#         prealloc: 1024         

(repeat settings below with some changes):

stream:
  memcap: 1gb
 reassembly:
    memcap: 2gb
    depth: 2mb            # reassemble 2mb into a stream
 
host:
  hash-size: 4096
  prealloc: 1000
  memcap: 256mb

 http:
      enabled: yes
      # memcap: 128mb

I repeat: the same parameters must be edited in the 2 suricata.yaml files mentioned at the beginning.

Save changes
Start Suricata


Adjustments tested in mini-pc:
Suricata active IPS Mode in LAN,WAN
Pattern matcher: Hyperscan
Promiscuous mode: Enabled
Rules: ET PRO TELEMETRY ( all rules active-drop )

Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores)
Memory: 8 GB
OPNSENSE 20.1
Memory consumption opnsense with modified settings suricata: 20%
Internet connection: 50 MB

Optional: Advanced security options
In Suricata.yaml:

# Enable defrag per host settings
#  host-config:
#
#    - dmz:
#        timeout: 30
#        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
#
#    - lan:
#        timeout: 45
#        address:
#          - 192.168.0.0/24
#          - 192.168.10.0/24
#          - 172.16.14.0/24
#          - Put here the range of local ip addresses of your system (Example: 192.168.50.1/24)

host-os-policy:
  # Make the default policy windows.
  windows: [0.0.0.0/0]
  bsd: []
  bsd-right: []
  old-linux: []
  linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
  old-solaris: []
  solaris: ["::1"]
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []

Put here your local ips depending on the operating system. Examples:
Windows computer: windows: [0.0.0.0/0,192.168.50.16]
Nas ( Linux ):  linux: [10.0.0.0/8, 192.168.50.18, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]


VERY IMPORTANT: We have to make a copy of the 2 suricata.yaml files. This is because every time we update opnsense the configuration is lost. When we update opnsense we have to edit  ( or copy the 2 suricata.yaml files edited and saved before and replace them with the suricata.yaml files that exist ) 2 suricata.yaml files again.







Title: Re: HOWTO - Advanced Settings Suricata
Post by: hbc on July 10, 2019, 10:23:30 pm
In this context 0.0.0.0/0 means any ip? But that matches also the Rfc1918 addresses from Linux.
Would this mean, you have to use different subnets per os and specify them in os-policy?
Title: Re: HOWTO - Advanced Settings Suricata
Post by: yeraycito on July 11, 2019, 10:19:45 am
In this context 0.0.0.0/0 means any ip? But that matches also the Rfc1918 addresses from Linux.

0000/0 is by default in the original suricata.yaml. I have left it as it is adding the ip of my windows computer.

Would this mean, you have to use different subnets per os and specify them in os-policy?

Yes. suricata rules act in one way or another depending on the operating system ( official suricata documentation ).
Put here your local ip of your equipments in the corresponding boxes of operating systems.

Example:

windows: [0.0.0.0/0,192.168.50.16]

192.168.50.16 is the local ip of my windows computer.

linux: [10.0.0.0/8, 192.168.50.18]

192.168.50.18 is the local ip of my linux NAS
Title: Re: HOWTO - Advanced Settings Suricata
Post by: yeraycito on August 14, 2019, 03:01:21 pm
Important: We have to make a copy of the 2 files suricata.yaml because every time we update opnsense the settings are lost and you have to put them back. If suricata is updated you will have to set the settings manually again because surely the files suricata.yaml will be different.
Title: Re: HOWTO - Advanced Settings Suricata
Post by: yeraycito on January 31, 2020, 05:51:08 pm
Updated configuration parameters