OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: raid3868 on December 17, 2021, 02:15:01 am
-
Dear expert,
I have enable the IDS/IPS, when i ssh to my opnsense then top it show WCPU always consume 14%-15%, without any traffic. Is this normal when enable IDS/IPS?
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
63648 root 7 20 0 672M 311M nanslp 2 1:48 14.21% suricata
HOST DELL 740xd 20 CPUs x Intel(R) Xeon(R) Silver 4210 CPU @ 2.20GHz RAM 128 GB
Opnsense is vmguest with 8 vcpu and 16GB ram
network interface
10GB - internal with 2 vlan
1GB - external (WAN)
OPNsense 21.7.6-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021
ids/ips configuration
------------------------
IPS mode=enable
Promiscuous mode=enable
Pattern matcher=Hyperscan
Interfaces=LAN
Rulesets=ET telemetry
Policies= All ET telemetry rulesets = alert and drop
log file show:
2021-12-15T16:45:43 suricata[63648] [100369] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.
Tks
Hi
Today i do a clean install.
install iso download from opnsense site, OPNsense-21.7.1-OpenSSL-dvd-amd64.iso.
after configure everything necessary then configure Intrusion detection downlaod all policy and configure as previous. start IDS. check at console command top.
suricata WCPU = 0.13%-0.17% ( something around this ) Look ok with this cpu usage.
Then i update to the latest OPNsense 21.7.7-amd64 reboot
check at console command top
suricata WCPU = 13%-15% i think something wrong with the latest update.
Anyone with this issue?
Please help tying to put into production to replace current cyberoam.
tks
hi
I try to revert to 21.7.3 problem still the same.
using this command opnsense-revert -r 21.7.3 opnsense
suricata WCPU = 13%-15%
No luck, do someone know what is happening? Or is like this when IDS/IPS is enable.
Do anyone know business edition have the issue?
Any know how to restore without restoring ids/ips configuration. i would like do a factory reset but do not want to restore the IDS/IPS configuration.
Tks
Anyone please help if business edition will have this issue or this is normal when idle is suricata will tale WCPU 14%-15%?
anyone please comments. tks
-
I found the issue. fix it don't is the right way, but suricata WCPU idle 1.3%-1.5%
-
So, if you managed to fix it, can you elaborate on what you managed to fix (to learn for others)?
-
Yes, please, let us know, as I have a similar issue with suricata running permanently at ~35% WCPU (2 core Intel Atom)
I can see in my long-time logs, that the CPU usage went up around 27th of September where I most probably upgraded to 21.7.3 which introduced Suricata 6.0.3.
[update]
just found this https://forum.opnsense.org/index.php?topic=24895.msg120705#msg120705 which seems to be the issue.
-
Sorry for late reply just revisit the forums
What i do is, before upgrade i put a lock at the package suricata v5.0.7 so it will not upgrade to latest version. than i use command opnsense-revert -r 21.7.3 opnsense revert back to 21.7.3 So i can implement into production use.
I can looking to purchase the businesses version but i m not sure what version of suricata. Cause no way to test unless you purchase. Business edition is 2.10 don't know suricata cpu effect. Very to make decisions cause have to take responsibility if purchase on behalf of company. Just sad unable to get any confirmation.
i have been testing for quite sometime with opnsense, if implement for company need a stable system.
Tks