Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
HOWTO - Advanced Settings Suricata
« previous
next »
Print
Pages: [
1
]
Author
Topic: HOWTO - Advanced Settings Suricata (Read 18225 times)
yeraycito
Sr. Member
Posts: 288
Karma: 17
HOWTO - Advanced Settings Suricata
«
on:
July 10, 2019, 05:06:53 pm »
1 - Services: Intrusion Detection: Administration - Advanced Mode:
Detect Profile: Custom
ToClient: 100
ToServer: 100
2 - Stop Suricata at Opnsense
Access by ssh (WinSCP for Windows:
https://winscp.net/eng/download.php
)
Open WinSCP:
Enter IP acces opnsense
Enter login/password opnsense
Search routes:
usr/local/etc/suricata/suricata.yaml
and
usr/local/opnsense/service/templates/opnsense/ids/suricata.yaml
Tuning Suricata ( IPS MODE ACTIVE ):
EDIT THE SAME PARAMETERS in the 2 files suricata.yaml
Search in suricata.yaml:
#max-pending-packets: 1024
# Defrag settings:
defrag:
memcap: 32mb
flow:
memcap: 128mb
Stream engine settings:
stream:
memcap: 32mb
reassembly:
memcap: 64mb
stream:
memcap: 64mb
reassembly:
memcap: 256mb
host:
memcap: 32mb
I repeat: the same parameters must be edited in the 2 suricata.yaml files mentioned at the beginning.
Save changes
Start Suricata
Adjustments tested in mini-pc:
Suricata active IPS Mode in WAN
Pattern matcher: Hyperscan
Promiscuous mode: Disabled
Rules: ET PRO TELEMETRY ( all rules active-drop )
Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores)
Memory: 8 GB
OPNSENSE 20.7.5
Memory consumption opnsense with modified settings suricata: 20%
Internet connection: 50 MB
Optional: Advanced security options
In Suricata.yaml:
# Enable defrag per host settings
# host-config:
#
# - dmz:
# timeout: 30
# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
#
# - lan:
# timeout: 45
# address:
# - 192.168.0.0/24
# - 192.168.10.0/24
# - 172.16.14.0/24
# - Put here the range of local ip addresses of your system (Example: 192.168.50.1/24)
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
Put here your local ips depending on the operating system. Examples:
Windows computer: windows: [0.0.0.0/0,192.168.50.16]
Nas ( Linux ): linux: [10.0.0.0/8, 192.168.50.18, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
VERY IMPORTANT: We have to make a copy of the 2 suricata.yaml files. This is because every time we update opnsense the configuration is lost. When we update opnsense we have to edit ( or copy the 2 suricata.yaml files edited and saved before and replace them with the suricata.yaml files that exist ) 2 suricata.yaml files again.
«
Last Edit: November 29, 2020, 05:11:34 pm by yeraycito
»
Logged
hbc
Hero Member
Posts: 501
Karma: 47
Re: HOWTO - Advanced Settings Suricata
«
Reply #1 on:
July 10, 2019, 10:23:30 pm »
In this context 0.0.0.0/0 means any ip? But that matches also the Rfc1918 addresses from Linux.
Would this mean, you have to use different subnets per os and specify them in os-policy?
«
Last Edit: July 10, 2019, 10:32:49 pm by hbc
»
Logged
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
yeraycito
Sr. Member
Posts: 288
Karma: 17
Re: HOWTO - Advanced Settings Suricata
«
Reply #2 on:
July 11, 2019, 10:19:45 am »
In this context 0.0.0.0/0 means any ip? But that matches also the Rfc1918 addresses from Linux.
0000/0 is by default in the original suricata.yaml. I have left it as it is adding the ip of my windows computer.
Would this mean, you have to use different subnets per os and specify them in os-policy?
Yes. suricata rules act in one way or another depending on the operating system ( official suricata documentation ).
Put here your local ip of your equipments in the corresponding boxes of operating systems.
Example:
windows: [0.0.0.0/0,192.168.50.16]
192.168.50.16 is the local ip of my windows computer.
linux: [10.0.0.0/8, 192.168.50.18]
192.168.50.18 is the local ip of my linux NAS
«
Last Edit: July 11, 2019, 10:33:50 am by yeraycito
»
Logged
yeraycito
Sr. Member
Posts: 288
Karma: 17
Re: HOWTO - Advanced Settings Suricata
«
Reply #3 on:
August 14, 2019, 03:01:21 pm »
Important: We have to make a copy of the 2 files suricata.yaml because every time we update opnsense the settings are lost and you have to put them back. If suricata is updated you will have to set the settings manually again because surely the files suricata.yaml will be different.
Logged
yeraycito
Sr. Member
Posts: 288
Karma: 17
Re: HOWTO - Advanced Settings Suricata
«
Reply #4 on:
January 31, 2020, 05:51:08 pm »
Updated configuration parameters
Logged
yeraycito
Sr. Member
Posts: 288
Karma: 17
Re: HOWTO - Advanced Settings Suricata
«
Reply #5 on:
November 28, 2020, 05:07:43 pm »
Updated configuration.
Logged
l0rdraiden
Jr. Member
Posts: 59
Karma: 4
Re: HOWTO - Advanced Settings Suricata
«
Reply #6 on:
November 28, 2020, 07:45:20 pm »
The configuration parameters could be brought to the web ui
Logged
yeraycito
Sr. Member
Posts: 288
Karma: 17
Re: HOWTO - Advanced Settings Suricata
«
Reply #7 on:
September 23, 2021, 03:23:34 pm »
Suricata 6 - Opensense 21.7.3:
1 - Services: Intrusion Detection: Administration - Advanced Mode:
Detect Profile: High
2 - Stop Suricata at Opnsense
Access by ssh (WinSCP for Windows:
https://winscp.net/eng/download.php
)
Open WinSCP:
Enter IP acces opnsense
Enter login/password opnsense
Search routes:
usr/local/etc/suricata/suricata.yaml
and
usr/local/opnsense/service/templates/opnsense/ids/suricata.yaml
Tuning Suricata ( IPS MODE ACTIVE ):
EDIT THE SAME PARAMETERS in the 2 files suricata.yaml
Search in suricata.yaml:
max-pending-packets: 10000 ( remove # )
stream:
memcap: 64mb
reassembly:
memcap: 256mb
I repeat: the same parameters must be edited in the 2 suricata.yaml files mentioned at the beginning.
Save changes
Start Suricata
Adjustments tested in mini-pc:
Suricata active IPS Mode in WAN
Pattern matcher: Hyperscan
Promiscuous mode: Disabled
Rules: ET PRO TELEMETRY ( all rules active-drop )
Intel(R) Celeron(R) CPU J3160 @ 1.60GHz (4 cores)
Memory: 8 GB
OPNSENSE 21.7.3
Memory consumption opnsense with modified settings suricata: 2 GB
Internet connection: 300 MB
Optional: Advanced security options
In Suricata.yaml:
# Enable defrag per host settings
# host-config:
#
# - dmz:
# timeout: 30
# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
#
# - lan:
# timeout: 45
# address:
# - 192.168.0.0/24
# - 192.168.10.0/24
# - 172.16.14.0/24
# - Put here the range of local ip addresses of your system (Example: 192.168.50.1/24)
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
Put here your local ips depending on the operating system. Examples:
Windows computer: windows: [0.0.0.0/0,192.168.50.16]
Nas ( Linux ): linux: [10.0.0.0/8, 192.168.50.18, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
VERY IMPORTANT: We have to make a copy of the 2 suricata.yaml files. This is because every time we update opnsense the configuration is lost. When we update opnsense we have to edit ( or copy the 2 suricata.yaml files edited and saved before and replace them with the suricata.yaml files that exist ) 2 suricata.yaml files again.
«
Last Edit: September 29, 2021, 06:56:14 pm by yeraycito
»
Logged
rungekutta
Full Member
Posts: 139
Karma: 11
Re: HOWTO - Advanced Settings Suricata
«
Reply #8 on:
September 29, 2021, 08:10:08 am »
What is the difference in performance and/or other behavior before and after? Do you really need to tune Suricata on a 100Mbit connection?
Logged
yeraycito
Sr. Member
Posts: 288
Karma: 17
Re: HOWTO - Advanced Settings Suricata
«
Reply #9 on:
September 29, 2021, 06:58:57 pm »
I forgot to change the parameter. I have 300 MB. I have already changed it. The settings are still valid for 1 GB connections. And the performance is noticeable.
Logged
rungekutta
Full Member
Posts: 139
Karma: 11
Re: HOWTO - Advanced Settings Suricata
«
Reply #10 on:
September 30, 2021, 09:34:47 pm »
Thanks. I'm interested in tuning Suricata as it's already using a fair bit of CPU on 1Gb WAN, and as I will be getting 10Gb soon I foresee it becoming a bottleneck pretty quickly.
On initial setup and when I switched to Hyperscan I noticed a big difference. Anything else has been very marginal at best, so before starting to hack configuration files I'm interested in more quantifiable data on actual expected gains. Have you made any such comparisons...?
Logged
yeraycito
Sr. Member
Posts: 288
Karma: 17
Re: HOWTO - Advanced Settings Suricata
«
Reply #11 on:
October 02, 2021, 05:56:44 pm »
If you have looked at the last configuration settings I have posted, you will see that they are almost the original ones. Among the few that I have touched are max pending packets. I have activated this parameter and configured it according to the official Suricata information. It increases the performance in case there are many active connections. The rest of the parameters are related to a better performance of Suricata by specifying the local ips and their operating systems.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
HOWTO - Advanced Settings Suricata