Messages

106

Zenarmor (Sensei) / Re: 4GB+ heap Size for Elasticsearch

« on: September 22, 2020, 07:01:24 pm »

Thanks again!

Funny thing is that medium was blocked by Sensei as i disabled it on the app blocker :-S
I will check your article but for my home environment i think i will have enough CPU power. intel i7 4 Cores HT
Just wanted to waste some of 32 GB RAM

107

Zenarmor (Sensei) / Re: 4GB+ heap Size for Elasticsearch

« on: September 22, 2020, 06:03:17 pm »

Hello,
thank you for your swift answer!

i did change the file and restarted elasticsearch through the web gui

Sensei is set to Small II (50 Devices)

root@opnsense:~ # top | grep java
PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
54544 elasticsea   77  52    0  4058M  2339M uwait    5   0:31   0.20% java

How much would be the max here or would a bigger value make sense at all?

108

Zenarmor (Sensei) / (SOLVED) 4GB+ heap Size for Elasticsearch

« on: September 22, 2020, 05:40:33 pm »

Hello,
would extending the heap size help sensei to run smoother?
From another product this helped me a lot.

And if yes can you tell me where to set this on opnsense?
jvm.option - but here i found several.

thanks
armin

109

Intrusion Detection and Prevention / Re: Suricata - CPU Affinity - use more cores

« on: September 22, 2020, 09:30:08 am »

Morning,
the pasted config is the default from suricata which i compared to the opnsense one.

maybe i am looking wrong. But from the top i see only cpu 5 used. So i asked myself if this could be configured to use all 8 cores "somehow"... I am not an expert.

As far i understood suricata on opnsense runs in worker mode. Maybe this would help to spread out the work
cpu-affinity:
  - management-cpu-set:
      cpu: [ 0 ]  # include only these cpus in affinity settings
  - receive-cpu-set:
      cpu: [ 0 ]  # include only these cpus in affinity settings
  - worker-cpu-set:
      cpu: [ "all" ]   ---> exclude cpu 0 set to 1-6
      mode: "exclusive" --> not sure here i another option called ballanced

or set to autofp and then spread the work to every cpu

cpu-affinity:
  - management-cpu-set:
      cpu: [ 0 ]  # include only these cpus in affinity settings
  - receive-cpu-set:
      cpu: [ 0 ]  # include only these cpus in affinity settings --> 1 - 2 CPUs
  - worker-cpu-set:
      cpu: [ "all" ] --> 3 - 5 CPUs
      mode: "exclusive"
      # Use explicitely 3 threads and don't compute number by using
      # detect-thread-ratio variable:
      # threads: 3
      prio:
        low: [ 0 ]
        medium: [ "1-2" ]
        high: [ 3 ]
        default: "medium"
  - verdict-cpu-set:
      cpu: [ 0 ]  --> 6 - 7 CPUs
      prio:
        default: "high"


Not sure if this would help.
How do you read this settings?

thanks!
A

110

Intrusion Detection and Prevention / Re: Suricata - CPU Affinity - use more cores

« on: September 22, 2020, 08:25:30 am »

Found this explanation but not quite sure where to set what to get more out of 8 cores.
https://suricata.readthedocs.io/en/suricata-5.0.3/configuration/suricata-yaml.html
-----------------------------------------
set-cpu-affinity: no

cpu-affinity:
  - management-cpu-set:
      cpu: [ 0 ]  # include only these cpus in affinity settings
  - receive-cpu-set:
      cpu: [ 0 ]  # include only these cpus in affinity settings
  - worker-cpu-set:
      cpu: [ "all" ]
      mode: "exclusive"
      # Use explicitely 3 threads and don't compute number by using
      # detect-thread-ratio variable:
      # threads: 3
      prio:
        low: [ 0 ]
        medium: [ "1-2" ]
        high: [ 3 ]
        default: "medium"
  - verdict-cpu-set:
      cpu: [ 0 ]
      prio:
        default: "high"
-----------------------------------------

Runmode AutoFp:

management-cpu-set - used for management (example - flow.managers, flow.recyclers)
receive-cpu-set - used for receive and decode
worker-cpu-set - used for streamtcp,detect,output(logging)
verdict-cpu-set - used for verdict and respond/reject

Runmode Workers:

management-cpu-set - used for management (example - flow.managers, flow.recyclers)
worker-cpu-set - used for receive,streamtcp,decode,detect,output(logging),respond/reject, verdict
-----------------------------------------

Would it makes sense to set the mode to autofp and spread the work out to several dedicated cores?
As far i understood worker mode would bundle the work into single cores.

Or in worker mode to dedicate a core for management and exclude this from the workers cores?

thanks
armin

111

Intrusion Detection and Prevention / Suricata - CPU Affinity - use more cores

« on: September 21, 2020, 10:21:24 pm »

  PID USERNAME    PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
82280 root        103    0  2445M  1374M CPU5     5   5:33  99.54% suricata
   11 root        155 ki31      0   128K CPU7     7  13:23  99.35% idle{idle: cpu7}
   11 root        155 ki31      0   128K CPU6     6  23:15  98.92% idle{idle: cpu6}
   11 root        155 ki31      0   128K CPU1     1  22:30  98.60% idle{idle: cpu1}
   11 root        155 ki31      0   128K CPU2     2  23:39  98.12% idle{idle: cpu2}
   11 root        155 ki31      0   128K CPU3     3  23:06  85.31% idle{idle: cpu3}
   11 root        155 ki31      0   128K RUN      5  23:09  80.96% idle{idle: cpu5}
   11 root        155 ki31      0   128K RUN      0  23:01  79.04% idle{idle: cpu0}
   11 root        155 ki31      0   128K CPU4     4  23:31  51.85% idle{idle: cpu4}

Well, i enabled suricata on my WAN and DMZ interfaces.  LAN has Sensei running.
Took some speedtest and was pretty shocked.
Lost 70 Mbit with Suricata turned on. Got 180 from 250 mbit down. The upload kept the same.
So i checked on the console whats happening and saw that Suricata uses a single core out of 8.

Can this be somehow spread to serveral cores?

thank you
armin

112

General Discussion / Re: Migrate DNSCrypt Settings to new Box

« on: September 20, 2020, 10:13:41 am »

Excellent.

Just took a look at the xml file and found the settings included.

Thank you very much!
Enjoy your sunday.
armin

113

General Discussion / [SOLVED] Migrate DNSCrypt Settings to new Box

« on: September 20, 2020, 08:53:07 am »

Good Morning,
received a new hardware on friday and startet to set things up.
As the new box is not on the internet yet i imported the backup from the old like firewall, dns, system, ntp and such stuff.

As i run DNSCrypt on the old which is not yet installed i was wondering if i could transfer the settings with a backup. But i could not find DNSCrypt mentioned to be imported.

Is this listed in the AddOns from the backup?
Or is there another way to import the settings?

I guess i have to connect the box and download and install DNScrypt first?

thank you very much.
armin

114

Intrusion Detection and Prevention / Re: Is Suricata running?

« on: August 17, 2020, 07:56:43 am »

You can SSH into the box. Select option 8 for shell.

root@opnsense:/var/log/suricata # service suricata status
suricata is running as pid 87056.

Also you can check the log in /var/log/ and var/log/suricata

Or run a top command to see if suricata is loaded.

Depends on your rules there might be no alterts.

115

Intrusion Detection and Prevention / Re: IDS/IPS new settings

« on: August 11, 2020, 10:16:06 am »

Greetings,

as i have enough memory free would it make sense to set the Detect Profile to custom and above 100?

High is stated with 75.

thanks
armin

116

20.7 Legacy Series / Re: Slow WAN after upgrade

« on: August 11, 2020, 08:26:32 am »

Morning Gentlemen,

i am reading about the powermodes here. My box is set to hi adaptive.

Do i have to enable the "Use Power D" option or can i set all beneath options to max?

thanks
armin

117

Intrusion Detection and Prevention / IDS/IPS - show "disabled" Rules in GUI

« on: July 27, 2020, 01:16:07 pm »

Hello,
can you please enlighten me how to sort/filter the Rules so i would see the ones which are NOT enabled?
I clicked one from the altert tab and wanted to look it up in the rules section.
45 thousand rules are pretty hard to browse.

Usually i set the rules i do not enable back to altert instead of block so i can filter them.
But with the last one i forgot to set it back...

thank you very much.
cheers A

118

General Discussion / Lightweight Sensei setup for smaller CPU (i3 4100U)

« on: July 15, 2020, 08:28:24 pm »

Hello All,

is there a way to run a lightweight setup for sensei?
I do have an intel i3 4100u 1.8 GhZ SOC CPU.
As soon as i install sensei my system crashes and i have to uninstall sensei through console.

The setup detects my CPU as (orange) i guess weak and give me a green on 8 GB memory.
Nevertheless my system crashes afterwards. No dhcp actually none of the services are started.
Starting them through console ends with an could not start mongodb.

i would be able to choose from mongodb or elasticsearch where default is set to mongo.

Beside i do run cryptDNS maybe this could be an issue as well.
WAN is 250 MBit and 25 upload.
4 Intel NIC each 1GB

i would really love to run application scanning on the LAN side.
Or is there maybe another tool which would run with less resources on opnsense?

Any thoughs or tips?
much appreciated!
thanks
armin

119

Web Proxy Filtering and Caching / Re: Filtering without ssl inspection?

« on: May 11, 2020, 10:02:25 pm »

ehm... did you reroute the ports to the localhost for SSL as well?

3129 as far i remember. 3128 is for HTTP.

https://docs.opnsense.org/manual/how-tos/proxytransparent.html

120

Web Proxy Filtering and Caching / Re: Filtering without ssl inspection?

« on: May 11, 2020, 09:45:57 pm »

Maybe check if you did setup a CA even when you don't use it.
Seems to be mandatory to be selected on the SSL option.

At home i switched to DNS Crypt as it provides Blocklists on DNS based answers.
Uses much less resources on the box.