OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: opnsense-user123 on January 03, 2018, 11:33:18 pm

Title: how to further tweak Suricata
Post by: opnsense-user123 on January 03, 2018, 11:33:18 pm

Hello:

My hardware is quad core AMD GX-412TC (https://www.pcengines.ch/apu2.htm) and Suricata is killing it. My WAN is about 20 up 200 down, I run a wired LAN and Wifi LAN on separate private IP subnets. I also run traffic shaper and local netflow.

I have removed all rules from Suricata except country blocking and still it cannot handle 200 megabits of traffic, especially if it is multiple streams. Suricata process goes over 300%. I have already changed to hyperscan.

I wanted to try a few things to improve it, but there are not switches to do it in the GUI and if I hand modify /usr/local/etc/suricata/suricata.yaml I'm not sure it is being applied, but even if so, is gone after a reboot.

I wanted to try:

Code: [Select]

detect-engine:
  - profile: high [it is set to medium, high would use more ram to save some CPU, I have 4GB of RAM]

app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        dp: 443

      no-reassemble: yes [remove comment here so it IS set for no-reassemble:yes]
This second one is supposed to make it ignore the contents of an encrypted stream after the handshake, which seems like a good idea to me, especially if CPU challenged. From the docs:

Quote

If no-reassemble is set to true, all processing of this session is stopped. No further parsing and inspection happens. If bypass is enabled this will lead to the flow being bypassed, either inside Suricata or by the capture method if it supports it.

If no-reassemble is set to false, which is the default, Suricata will continue to track the SSL/TLS session. Inspection will be limited, as content inspection will still be disabled. There is no point in doing pattern matching on traffic known to be encrypted. Inspection for (encrypted) Heartbleed and other protocol anomalies still happens.

Finally I wanted to try to add a PASS rule so that Suricata will not inspect traffic to/from my own personal server so at least there I can get my full bandwidth for file transfers. When I created that rule in the config files it did not seem to work and was gone after a reboot. The GUI is limited in the creation of user rules -- it seems to only let me create the country-blocker rule there. Would be great if I could create any type of rule, including this PASS rule I want to try.

Thanks for any help.

Title: Re: how to further tweak Suricata
Post by: weust on January 04, 2018, 08:18:10 am

Sounds easy to me. The CPU isn't fast enough.

Title: Re: how to further tweak Suricata
Post by: opnsense-user123 on January 04, 2018, 08:50:00 pm

Weust, while that may indeed be the case, your response did not address my questions.

I would like to point out that my CPU is quite similar to what Deciso sells in their "Mid Range & High Performance" rack mount A10 quad core box -- can that one not run Suricata at WAN speeds over 50 Megabits per second either? Or have I done something wrong with my config? Is country-blocking in Suricata (as directed to be set up here https://docs.opnsense.org/manual/how-tos/ips-geoip.html ) more resource-intensive than running a set of 3000 rules?

Did I try to block too many?  Afghanistan, Albania, Brazil, China, India, Iran, Romania, Russia, Turkey, Taiwan, Ukraine.