ips/ids suricata Solved

Started by GDixon, December 01, 2018, 07:46:51 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
December 02, 2018, 02:53:37 AM #15 Last Edit: December 02, 2018, 03:05:05 AM by GDixon
Quote from: GDixon on December 01, 2018, 10:33:03 AM

I set up cron in the gui when you close the pop up to see if the rule is added it goes to the last place you were in the configs . I was looking at the alerts before I did the cron and cron just put me right back to alerts. the gui will not let you look to see what rules are in the schedule.


AH ha moment. you may not be able to look cron up in the suricata admin page but i found where cron is in System settings. your just not re directed while in the suricata admin page

silly me :) that part is solved
I tried to do a restore to factory and reload my config and that went well except now the web pages load slow especially the dashboard hmmmm

Next is to do a fresh format and reinstall and reconfigure by hand and see if it's all the rules that slow down the pages.
more tomorrow.

the no alerts showing  problem is tentatively solved see the below posts,

https://forum.opnsense.org/index.php?topic=10193.0

slowly we go, i'll get it all figured out some day.
December 02, 2018, 07:23:45 AM #16
Quote from: GDixon on December 01, 2018, 05:42:16 PM
I have new errors lol different than before and no alerts show up yet.

I'm going to remove surica, restore a good config and start over with surica.

Good idea, never seen this errors before.
OS: OPNsense 18.7.9-amd64
HW: HP t620 PLUS Thin Client (F0U83EA) / AMD GX-420CA SOC with Radeon HD Graphics (4 cores) / 4GB RAM, INTEL i350-T4 1G Quad Port Ethernet Adapter (I350T4G2P20), WD Green SSD 120GB M.2 2280 SATA B-M-Key 6GBs (WDS120G2G0B)
Internet: 1und1 VDSL 50 Mbit
VoIP: 1und1 und Sipgate
December 02, 2018, 07:44:07 PM #17 Last Edit: December 02, 2018, 08:03:45 PM by GDixon
reformatted, installed, updated and reconfigured by hand.

enabled all the ET rules and yes it is the rules that slow the gui page loads, especially any that have live data like the dashboard or any that make significant changes so it is NOT a OPNsense problem.

no errors currently but a few things like the cron redirect do not work, no alerts show in the alerts admin gui and on reboot with ips/ids enabled some services tale a long time to load / start like dhcp6, ra ( related to dhcp6 most likely) ntp and the gateways.

Some of this is obviously a hardware limit. I'm using a old acer with a AMD athlon core 2 at 2.5 Ghz (4850e) with a 250G WD blue  2.5" HDD sata and no hyper threading or aes-ni and 4 Gigs of ram. Load is ok, ram usage 24 to 36% and temps 38 to 49 so ok Mbuf's at 1 %. State table has not gone above 1% so far
There is no noticeable slow down in browsing web sites or on the Lan (2 nas's (nas4free/Xigma), 3 cell phones and 5 to 7 computers on the Lan) that I can tell it mostly has to do with the OPNsense gui being slow to load in some areas.

When the alerts are fixed I'll go through and fine tune them and see what the thresh hold for this hardware might be with number of rules and speed for the OPNsense gui loading and then move to another hardware set up in time.
Possibly a dell r210 II or maybe I'll try one of the HP T620 plus thin clients.

For now it's just waiting for the next updates :)

EDIT: the 7 to 8 second refresh on the dashboard scrolls the dashboard back to the top and that does get ummm inconvenient when your trying to watch a graph or something below.

EDIT: I have these plugins enabled

Code Select

os-dyndns (installed) 1.10_1 134KiB Dynamic DNS Support
os-smart (installed) 1.5 15.2KiB SMART tools
os-upnp (installed) 1.2_3 31.2KiB Universal Plug and Play Service
os-vnstat (installed) 1.0 20.7KiB vnStat is a console-based network traffic monitor
os-wol (installed) 2.0 20.8KiB Wake on LAN Service


whats the difference for the devel plugins?

greg
December 03, 2018, 07:52:45 AM #18
This might be a silly question.

Should the Wan or Lan be used?

I ask because the daughter had a question that makes one think.

If your monitoring the Wan it would mean your mis configured and not blocking what needs to be blocked if you get alerts so wouldn't it be better to monitor the Lan?

Well I switched to the Lan and now were seeing alerts which means nothing has made it through the Wan to cause alerts.

Which is best policy?  Monitor the Wan? Monitor the Lan? Or choose both Wan and Lan to monitor?
December 08, 2018, 10:02:26 AM #19
Quote from: GDixon on December 03, 2018, 07:52:45 AM
...
Which is best policy?  Monitor the Wan? Monitor the Lan? Or choose both Wan and Lan to monitor?

Try it out! :-)
Enable both (LAN/WAN) and monitor it, then you see whats going on...
OS: OPNsense 18.7.9-amd64
HW: HP t620 PLUS Thin Client (F0U83EA) / AMD GX-420CA SOC with Radeon HD Graphics (4 cores) / 4GB RAM, INTEL i350-T4 1G Quad Port Ethernet Adapter (I350T4G2P20), WD Green SSD 120GB M.2 2280 SATA B-M-Key 6GBs (WDS120G2G0B)
Internet: 1und1 VDSL 50 Mbit
VoIP: 1und1 und Sipgate
December 08, 2018, 11:27:57 AM #20
I've tried all 3 and currently monitoring both wan and lan.

lots of allows for Lan and very very few for wan so I would guess monitoring both works.

No slow downs detected so left it monitoring both wan and lan for now.

Only thing I noticed is when watching the traffic graph is output for in as usual but for out is a straight line at the middle of the graph (0) for IPSEC with dots for traffic. 

Now to figure out what can be dropped thats not a false positive  and that will take a lot of research.
Print
Go Up Pages 1 2
User actions