IDS/IPS new settings

[hushcoden]

I've just updated to 20.7 and noticed that in "Intrusion Detection" --> "Administration" there is the new setting 'Detecting Profile': no idea what the different options mean (default, low, medium, high, custom) 

What default does?

Where can I find a simple document which explains the different settings?

Tia.

[FullyBorked]

https://suricata.readthedocs.io/en/suricata-5.0.3/performance/tuning-considerations.html?highlight=Detecting%20Profile#detect-profile-low-medium-high-custom

Look at 9.3.3.  Sounds like higher is better for performance with a hit on memory allocation.

[hushcoden]

Thanks FullyBorked !

Another thing I've noticed is that the log looks different than when I had 20.1 & Suricata 4 (see attahcment): does anybody know how to get in the log the same info (i.e. timestamp, info about each rule, etc.) I had before ?

Tia.

[XeroX]

Yeah I implemented that new settings. It allows you to use more memory to group large sets of rules.

I noticed the same thing, it now shows stats log, so I disabled this to get back the normal log.

https://forum.opnsense.org/index.php?topic=18288.0

[mimugmail]

This will be fixed in next version:
https://github.com/opnsense/core/commit/6dbd1d4abc9e64baa8f919c5bfb02ffc261512bb


You can also patch via CLI:
opnsense-patch 6dbd1d4

[XeroX]

This will be fixed in next version:
https://github.com/opnsense/core/commit/6dbd1d4abc9e64baa8f919c5bfb02ffc261512bb


You can also patch via CLI:
opnsense-patch 6dbd1d4

Thx, I would be more happy to disable stats.log, as its writing to disk every 8 seconds.

[ArminF]

Greetings,

as i have enough memory free would it make sense to set the Detect Profile to custom and above 100?

High is stated with 75.

thanks
armin