OPNsense Forum

English Forums => General Discussion => Topic started by: VEbzuT6X on October 22, 2017, 09:22:27 pm

Title: Suricata on WAN int; very low CPU usage; is it really doing anything?
Post by: VEbzuT6X on October 22, 2017, 09:22:27 pm

I've noticed Suricata's CPU usage rarely exceeds 3% when set to monitor just the WAN interface.

If I configure it to monitor LAN, or both LAN and WAN, (depending on throughput) Suricata's CPU usage can get >100%, which I guess I should expect to see?

I'm running the latest version of opnsense on an APU2C4.

Currently Suricata's conf'd to run on both WAN and LAN; here's an ifconfig output:

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,TXCSUM_IPV6>

igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=5400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,NETMAP,TXCSUM_IPV6>

Thanks in advance.

Title: Re: Suricata on WAN int; very low CPU usage; is it really doing anything?
Post by: mimugmail on October 22, 2017, 09:38:43 pm

Suricata wont inspect anything since HOME_NET are private IPs which wont exist on WAN

Title: Re: Suricata on WAN int; very low CPU usage; is it really doing anything?
Post by: VEbzuT6X on October 22, 2017, 09:42:23 pm

If i'm understanding you correctly you're saying setting Suricara to monitor the WAN interface is pointless?

If it doesn't inspect HOME_NET addresses, why am I seeing so much more CPU usage when Suricata's conf'd to inspect LAN instead of WAN?

Title: Re: Suricata on WAN int; very low CPU usage; is it really doing anything?
Post by: xinnan on October 22, 2017, 10:47:46 pm

That's very odd. I've definitely noticed Suricata inspecting, alerting and warning on the WAN in the past.  And blocking also.

Usually, its getting far fewer alerts when ran on a LAN (My experience), since if the firewall is doing its job at the wan and dropping a ton of uninvited connections Suricata monitoring the lan would never even see the traffic. 

Title: Re: Suricata on WAN int; very low CPU usage; is it really doing anything?
Post by: mimugmail on October 23, 2017, 02:21:07 pm

It depends what rules are enabled.

Check /usr/local/etc/suricata/suricata.yaml for HOME_NET. For me it's
"[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

Then check your active rules in /usr/local/etc/suricata/opnsense.rules/

Let's check dshield.rules:

alert ip [94.102.49.0/24,191.101.167.0/24,77.72.82.0/24,5.188.86.0/24,5.188.203.0/24,77.72.85.0/24,185.70.184.0/24,80.82.77.0/24,141.212.122.0/24,5.188.10.0/24,185.129.148.0/24,205.209.159.0/24,196.52.43.0/24,181.214.87.0/24,71.6.146.0/24,125.212.217.0/24,45.55.19.0/24,38.142.98.0/24,104.236.191.0/24,5.101.40.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:4598;)

Since the flow goes TO HOME_NET this rule will never match when you don't specify you WAN IP addresses to HOME_NET.

Title: Re: Suricata on WAN int; very low CPU usage; is it really doing anything?
Post by: franco on October 23, 2017, 05:17:22 pm

Some people also have HOME_NET on both sides of WAN and LAN, which is when most rules will not alert or drop, because it's an impossible condition as per !HOME_NET to HOME_NET.


Cheers,
Franco