OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: yeraycito on July 10, 2019, 05:07:11 pm

Title: HOWTO - Advanced Settings Suricata
Post by: yeraycito on July 10, 2019, 05:07:11 pm

First Stop Suricata at Opnsense

Access by ssh (WinSCP for Windows: https://winscp.net/eng/download.php)

Open WinSCP:
Enter IP acces opnsense
Enter login/password opnsense

Search routes:

 routes:
usr/local/etc/suricata/suricata.yaml
and
usr/local/opnsense/service/templates/opnsense/ids/suricata.yaml

Tuning Suricata ( IPS MODE ACTIVE ):
Edit the same parameters in the 2 files suricata.yaml
Search in suricata.yaml:

#max-pending-packets: 5000

detect-engine:
  - profile: custom
  - custom-values:
      toclient-groups: 200
      toserver-groups: 200
  - sgh-mpm-context: auto
  - inspection-recursion-limit: 3000

# Defrag settings:

defrag:
  memcap: 128mb

flow:
  memcap: 1gb
  hash-size: 1048576
  prealloc: 1048576
  emergency-recovery: 30

# stream:
#   memcap: 2gb 
#   prealloc-sessions: 30000

#   reassembly:
#     memcap: 4gb             
#     depth: 4mb
#     chunk-prealloc: 5000     
#     segments:                   
#       - size: 4                     
#         prealloc: 1024         

(repeat settings below with some changes):

stream:
  memcap: 2gb
 reassembly:
    memcap: 4gb
    depth: 4mb 
 #chunk-prealloc: 5000
    #segments:
    #  - size: 4
    #    prealloc: 1024
    #  - size: 16
    #    prealloc: 2048
    #  - size: 112
    #    prealloc: 2048
    #  - size: 248
    #    prealloc: 2048
    #  - size: 512
    #    prealloc: 2048
    #  - size: 768
    #    prealloc: 4096
    #  - size: 1448
    #    prealloc: 4096
    #  - size: 65535
    #    prealloc: 512

Save changes
Start Suricata
Restart Opnsense

Adjustments tested in mini-pc:
Suricata active IPS Mode in LAN,WAN
Pattern matcher: Hyperscan
Promiscuous mode: disabled
Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores)
Memory: 8 GB
Memory consumption opnsense with modified settings suricata: 20%
Internet connection: 50 MB

Optional: Advanced security options
In Suricata.yaml:

# Enable defrag per host settings
#  host-config:
#
#    - dmz:
#        timeout: 30
#        address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
#
#    - lan:
#        timeout: 45
#        address:
#          - 192.168.0.0/24
#          - 192.168.10.0/24
#          - 172.16.14.0/24
#          - Put here the range of local ip addresses of your system (Example: 192.168.50.1/24)

host-os-policy:
  # Make the default policy windows.
  windows: [0.0.0.0/0]
  bsd: []
  bsd-right: []
  old-linux: []
  linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
  old-solaris: []
  solaris: ["::1"]
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []

Put here your local ips depending on the operating system. Examples:
Windows computer: windows: [0.0.0.0/0,192.168.50.16]
Nas ( Linux ):  linux: [10.0.0.0/8, 192.168.50.18, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]