High CPU Usage Downloading

Started by Pocket_Sevens, November 07, 2019, 04:48:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 07, 2019, 04:48:19 PM Last Edit: November 11, 2019, 03:27:40 PM by Pocket_Sevens
Good morning.  Let me edit this post with some additional detail and some questions.

I have Suricata set up to monitor the WAN and my VLANs only.  However, trying to download a large file (e.g. Apex Legends) causes the memory usage of Suricata to jump up to 75%.  However, it appears to be where a file is downloaded within the game launcher itself where Suricata jumps to 75%; not downloading from the EA site directly.

I noticed in the Activity monitor (System > Diagnostics > Activity) that Suricata was referencing the WAN in the command line; which makes sense because I'm only monitoring the WAN and my VLAN.

Settings:

IPS Mode: Checked
Promiscuous Mode:  Checked
Pattern Matcher: Hyperscan
Interfaces: WAN; VLAN50

Download Rules: Some of the ET rules (botcc, compromised, drop, attack-response, exploit, malware, trojan, worm).

Just wondering:  Is it possible to whitelist a site for Suricata to ignore?  If I need to use an IP address, I'm assuming I could find the IP of the affected url and add that to a user defined pass list.  Any guidance would be appreciated.
November 11, 2019, 09:53:13 PM #1 Last Edit: November 11, 2019, 09:56:35 PM by Pocket_Sevens
This is what I'm referring to...trying to download something in the Steam store makes Suricata use a lot of CPU on the WAN side:


   86290   root   90   0   1936M   220M   CPU0   0   2:23   59.67%   /usr/local/bin/suricata -D --netmap --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml{W#01-msk0_vlan2}

Downloading Steam directly from their website didn't have Suricata use so much CPU.
November 12, 2019, 07:06:33 PM #2
Isn't it supposed to run internally and not on the WAN port?

I never get hits when it's activated on WAN, but from traffic on my LAN...
Print
Go Up Pages1
User actions