OPNsense Forum
English Forums => General Discussion => Topic started by: VEbzuT6X on October 22, 2017, 09:22:27 pm
-
I've noticed Suricata's CPU usage rarely exceeds 3% when set to monitor just the WAN interface.
If I configure it to monitor LAN, or both LAN and WAN, (depending on throughput) Suricata's CPU usage can get >100%, which I guess I should expect to see?
I'm running the latest version of opnsense on an APU2C4.
Currently Suricata's conf'd to run on both WAN and LAN; here's an ifconfig output:
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,TXCSUM_IPV6>
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=5400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,NETMAP,TXCSUM_IPV6>
Thanks in advance.
-
Suricata wont inspect anything since HOME_NET are private IPs which wont exist on WAN
-
If i'm understanding you correctly you're saying setting Suricara to monitor the WAN interface is pointless?
If it doesn't inspect HOME_NET addresses, why am I seeing so much more CPU usage when Suricata's conf'd to inspect LAN instead of WAN?
-
That's very odd. I've definitely noticed Suricata inspecting, alerting and warning on the WAN in the past. And blocking also.
Usually, its getting far fewer alerts when ran on a LAN (My experience), since if the firewall is doing its job at the wan and dropping a ton of uninvited connections Suricata monitoring the lan would never even see the traffic.
-
It depends what rules are enabled.
Check /usr/local/etc/suricata/suricata.yaml for HOME_NET. For me it's
"[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
Then check your active rules in /usr/local/etc/suricata/opnsense.rules/
Let's check dshield.rules:
alert ip [94.102.49.0/24,191.101.167.0/24,77.72.82.0/24,5.188.86.0/24,5.188.203.0/24,77.72.85.0/24,185.70.184.0/24,80.82.77.0/24,141.212.122.0/24,5.188.10.0/24,185.129.148.0/24,205.209.159.0/24,196.52.43.0/24,181.214.87.0/24,71.6.146.0/24,125.212.217.0/24,45.55.19.0/24,38.142.98.0/24,104.236.191.0/24,5.101.40.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:4598;)
Since the flow goes TO HOME_NET this rule will never match when you don't specify you WAN IP addresses to HOME_NET.
-
Some people also have HOME_NET on both sides of WAN and LAN, which is when most rules will not alert or drop, because it's an impossible condition as per !HOME_NET to HOME_NET.
Cheers,
Franco