OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: JasMan on November 22, 2020, 01:52:02 pm

Title: Memory usage grow during a constant traffic flow
Post by: JasMan on November 22, 2020, 01:52:02 pm

Hey,

I'm often watching TV shows that I've recorded in the past, and saved on my NAS as MPG-2 file.
The playing device is a Dreambox (Linux based) in a different VLAN. The Dreambox uses SMB2 to play the file. The connection uses about 5 Mbit/s.

After approxm. 30 minutes watching I get an warning from my OPNsense, that the memory usage has reached 80% of 8 GB. The activity page shows that Suricata uses the most of it. The memory usage continues to grow up to 97% as long as the episode plays. Then the SWAP usage starts to grow.
My OPNsense uses about 20% of the memory during normal operation.

I do not see any drops or alerts in the IDS/IPS logs regarding this connection. I can try to define an IP-to-IP exception in the user rules section to prevent it. But if it's a single rule which causes this behaviour, I would prefer to identify and disable this rule.
Is this a normal behaviour? If not, how should I go through to prevent this?

Current Suricata settings: Promiscus & IPS modes are active. The pattern matcher is Hyperscan, and Suricata is only listening on the physical LAN interface. The home network subnets are entered.

Jas

EDIT: I'm not able to reproduce this issue by using iPerf3 to create an TCP connection with an constant bandwidth usage.

Title: Re: Memory usage grow during a constant traffic flow
Post by: djbmister on November 26, 2020, 04:38:38 pm

How many IDS rules do you have enabled?

If you have too many, then IDS will be checking regardless and consuming lots of memory to do this.

Its best to have minimal list first then grow as you understand the lists you need and not enable all of them.

Also, why do you have it enabled on LAN?, usually its best to enable on WAN and check incoming issues rather than tracking outbound, lan clients can be very noisy and unless you have specific reasons to check you lan clients, best limit to rules that you want not parsing.

Title: Re: Memory usage grow during a constant traffic flow
Post by: JasMan on November 28, 2020, 02:48:37 pm

I've about 58.000 rules enabled. That's a lot, I know. But it seems that they're not harming any other services like Netflix, Deezer or other connections which are using a constant bandwidth over a longer time.

I've enabled IDS/IPS on the LAN interface because I'm having several VLANs and interfaces. Therefore I want to scan the the traffic between them too.

My iPerf test run about two hours and there was no rising memory usage. So I guess it's a single rule which causes the issue during the SMB stream.

Title: Re: Memory usage grow during a constant traffic flow
Post by: yeraycito on November 28, 2020, 04:33:52 pm

https://forum.opnsense.org/index.php?topic=13445.0

Title: Re: Memory usage grow during a constant traffic flow
Post by: JasMan on November 29, 2020, 02:55:44 pm

Thank you for the How-To.

All values were already configured in the standard files as mentioned in your How-To.
I have only added the IP addresses of my hosts to the host-os-policy section, but that didn't helped.  :(