OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: franco on December 03, 2016, 08:50:03 pm
-
Hi all,
The new Suricata came out two days ago:
https://suricata-ids.org/2016/12/01/suricata-3-2-available/
For anyone who wants to help test, we have put up preview packages to be used on top of 16.7.10:
(for amd64)
# pkg add -f https://pkg.opnsense.org/snapshots/amd64/suricata-3.2.txz
(for i386)
# pkg add -f https://pkg.opnsense.org/snapshots/i386/suricata-3.2.txz
You can always reinstall the original Suricata package using
# pkg install -f suricata
Any comments, even if it's a simple "works for me on amd64" is of help!
I'm currently running it with Hyperscan on amd64 in IPS mode. Works fine so far. :)
Cheers,
Franco
-
AMD64 doesn't break anything for me, but neither does it fix IDS/IPS for me so installing it is all I can test for you.
-
Taomyn, will build a Hyperscan-free version for you to try tomorrow.
Thanks,
Franco
-
Any change with this one?
(amd64/no Hyperscan)
# pkg add -f https://pkg.opnsense.org/snapshots/amd64/suricata-no-hs-3.2.txz
Cheers,
Franco
-
Still the same, as you said previously my issue with IPS/IDS is most likely with FreeBSD, but I thought it could not harm things to test updates to Suricata just in case there's a chance that's the problem instead.
-
Testing it today on 1Gbps constant traffic network. 8 core c2758, 8gb ram ecc + ssd. The only issue I see is that only core 1-4 are used till 90% rest of them sleeping. Is there something I missed in the configuration? I suspect not.
-
Hi nikkon,
Thanks for testing. The threading seems to be set to auto with a ratio of 1.5:
#
# By default Suricata creates one "detect" thread per available CPU/CPU core.
# This setting allows controlling this behaviour. A ratio setting of 2 will
# create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
# will result in 4 detect threads. If values below 1 are used, less threads
# are created. So on a dual core CPU a setting of 0.5 results in 1 detect
# thread being created. Regardless of the setting at a minimum 1 detect
# thread will always be created.
#
detect-thread-ratio: 1.5
No idea how this impacs CPU usage. The load balancing algorithms (or lack thereof) would also matter in thread saturisation. I don't know enough about Suricata to tweak this.
Taomyn, bummer. Do you have any chance to try and test i386 to see if that makes a difference?
And all: testing looking good, we will likely ship this with 16.7.12 or 16.7.11 if we're lucky.
Cheers,
Franco
-
Taomyn, bummer. Do you have any chance to try and test i386 to see if that makes a difference?
I presume as I'm running AMD64 I can't simply switch it to that version, so probably not.
-
You could boot a 16.7 stick, import your config in the installer and then directly exit installer to continue to live system. This way the install isn't touched and you have your settings in the live environment.
-
You could boot a 16.7 stick, import your config in the installer and then directly exit installer to continue to live system. This way the install isn't touched and you have your settings in the live environment.
Ah ok, not sure I have the time this week but might try that this weekend
-
test are going well.
need to understand how it uses the CPU's based on this I can scale my systems.
@ the moment I'm trying to migrate from pfsense to opnsense and working on chef integration :)