Show Posts
1
Intrusion Detection and Prevention / Suricata IPS always overloads CPU then freezes OPNsense
« on: February 22, 2024, 04:44:13 pm »
Hi everyone, kind of a noob. Have a pretty simple setup, but running into issues when I turn on IPS. Really just using for firewall, VPN, NAT, IDS, and DNS server. Have wireguard running with multiple interfaces using a gateway group for failover. Firewall with nothing too crazy except the rules needed for wireguard and NAT. Using Unbound DNS from opnsense.
Filtered the rules with IDS in suricata to know which ones are relevant. Every time I turn on IPS, one of the CPU core's maxes out then the opnsense box freezes. I have to restart it then turn off IPS shortly after bootup. Not really sure what to look for or do? All the hardware offloading is disabled. Not really sure what to look at. If someone could please provide some guidance? Using the most recent version of opnsense (realize there were some rollbacks with suricata, but I had this issue on the last major version as well).
Nothing fancy for CPU Intel(R) Celeron(R) N4000 CPU @ 1.10GHz (2 cores, 2 threads) and the internet speed is at 1.2 Gb/s. No cooling solution. Maybe need a more powerful box? One odd thing was looking at installing zenarmor, but it believes that hardware offloading is still on. Which is weird because on the interfaces -> settings have all four settings disabled. Maybe offloading is turned on somwhere else so suricata can't perform?
Filtered the rules with IDS in suricata to know which ones are relevant. Every time I turn on IPS, one of the CPU core's maxes out then the opnsense box freezes. I have to restart it then turn off IPS shortly after bootup. Not really sure what to look for or do? All the hardware offloading is disabled. Not really sure what to look at. If someone could please provide some guidance? Using the most recent version of opnsense (realize there were some rollbacks with suricata, but I had this issue on the last major version as well).
Nothing fancy for CPU Intel(R) Celeron(R) N4000 CPU @ 1.10GHz (2 cores, 2 threads) and the internet speed is at 1.2 Gb/s. No cooling solution. Maybe need a more powerful box? One odd thing was looking at installing zenarmor, but it believes that hardware offloading is still on. Which is weird because on the interfaces -> settings have all four settings disabled. Maybe offloading is turned on somwhere else so suricata can't perform?