Suricata on WAN int; very low CPU usage; is it really doing anything?

Started by VEbzuT6X, October 22, 2017, 09:22:27 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 22, 2017, 09:22:27 PM Last Edit: October 22, 2017, 09:40:13 PM by VEbzuT6X
I've noticed Suricata's CPU usage rarely exceeds 3% when set to monitor just the WAN interface.

If I configure it to monitor LAN, or both LAN and WAN, (depending on throughput) Suricata's CPU usage can get >100%, which I guess I should expect to see?

I'm running the latest version of opnsense on an APU2C4.

Currently Suricata's conf'd to run on both WAN and LAN; here's an ifconfig output:

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,TXCSUM_IPV6>

igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=5400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,NETMAP,TXCSUM_IPV6>

Thanks in advance.
October 22, 2017, 09:38:43 PM #1
Suricata wont inspect anything since HOME_NET are private IPs which wont exist on WAN
October 22, 2017, 09:42:23 PM #2
If i'm understanding you correctly you're saying setting Suricara to monitor the WAN interface is pointless?

If it doesn't inspect HOME_NET addresses, why am I seeing so much more CPU usage when Suricata's conf'd to inspect LAN instead of WAN?
October 22, 2017, 10:47:46 PM #3
That's very odd. I've definitely noticed Suricata inspecting, alerting and warning on the WAN in the past.  And blocking also.

Usually, its getting far fewer alerts when ran on a LAN (My experience), since if the firewall is doing its job at the wan and dropping a ton of uninvited connections Suricata monitoring the lan would never even see the traffic. 
October 23, 2017, 02:21:07 PM #4
It depends what rules are enabled.

Check /usr/local/etc/suricata/suricata.yaml for HOME_NET. For me it's
"[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

Then check your active rules in /usr/local/etc/suricata/opnsense.rules/

Let's check dshield.rules:

alert ip [94.102.49.0/24,191.101.167.0/24,77.72.82.0/24,5.188.86.0/24,5.188.203.0/24,77.72.85.0/24,185.70.184.0/24,80.82.77.0/24,141.212.122.0/24,5.188.10.0/24,185.129.148.0/24,205.209.159.0/24,196.52.43.0/24,181.214.87.0/24,71.6.146.0/24,125.212.217.0/24,45.55.19.0/24,38.142.98.0/24,104.236.191.0/24,5.101.40.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:4598;)

Since the flow goes TO HOME_NET this rule will never match when you don't specify you WAN IP addresses to HOME_NET.
October 23, 2017, 05:17:22 PM #5
Some people also have HOME_NET on both sides of WAN and LAN, which is when most rules will not alert or drop, because it's an impossible condition as per !HOME_NET to HOME_NET.


Cheers,
Franco
Print
Go Up Pages1
User actions