OPNsense Forum
English Forums => Intrusion Detection and Prevention => Topic started by: shopin on December 04, 2022, 07:50:09 am
-
I want to enable IDS on 10 interfaces on an OPNSense VM (kvm). Specifications VM: 12GB RAM 8 cpu.
When I run it on only 1 interface, I see in top that the suricata process consumes 495mb RAM and 1979mb SIZE.
Enabled around 1000 rules.
Further adding interfaces, successfully works on 6 interfaces. At the same time, the top process suricata now consumes 549mb RAM and 8800mb SIZE. So each interface adds 1.5gb to the process space. Everything works successfully and quickly. You can easily restart the IDS service and apply the settings in the GUI.
But when I add 7 interface everything breaks. At this moment in top SIZE exceeds 10GB and 500mb RAM. What happens: IDP stops passing traffic, although there are no errors in the log. When trying to restart the suricata service, it hangs endlessly. Only an emergency reboot helps, since a regular restart does not work, due to the fact that the system is waiting for the hung process to stop.
I only assume that perhaps this is due to the fact that the process rests on some system limitations. All system settings and suricata are currently default. RAM and CPU are not heavily loaded.
Tell me where to look for information? Is it possible to somehow reduce the SIZE of the process in the suricata configs?
It would be nice if in the future it became possible to run a separate process on the interface.