Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Memory usage grow during a constant traffic flow
« previous
next »
Print
Pages: [
1
]
Author
Topic: Memory usage grow during a constant traffic flow (Read 2966 times)
JasMan
Full Member
Posts: 175
Karma: 9
Memory usage grow during a constant traffic flow
«
on:
November 22, 2020, 01:52:02 pm »
Hey,
I'm often watching TV shows that I've recorded in the past, and saved on my NAS as MPG-2 file.
The playing device is a Dreambox (Linux based) in a different VLAN. The Dreambox uses SMB2 to play the file. The connection uses about 5 Mbit/s.
After approxm. 30 minutes watching I get an warning from my OPNsense, that the memory usage has reached 80% of 8 GB. The activity page shows that Suricata uses the most of it. The memory usage continues to grow up to 97% as long as the episode plays. Then the SWAP usage starts to grow.
My OPNsense uses about 20% of the memory during normal operation.
I do not see any drops or alerts in the IDS/IPS logs regarding this connection. I can try to define an IP-to-IP exception in the user rules section to prevent it. But if it's a single rule which causes this behaviour, I would prefer to identify and disable this rule.
Is this a normal behaviour? If not, how should I go through to prevent this?
Current Suricata settings: Promiscus & IPS modes are active. The pattern matcher is Hyperscan, and Suricata is only listening on the physical LAN interface. The home network subnets are entered.
Jas
EDIT: I'm not able to reproduce this issue by using iPerf3 to create an TCP connection with an constant bandwidth usage.
«
Last Edit: November 22, 2020, 02:30:31 pm by JasMan
»
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
djbmister
Newbie
Posts: 10
Karma: 0
Re: Memory usage grow during a constant traffic flow
«
Reply #1 on:
November 26, 2020, 04:38:38 pm »
How many IDS rules do you have enabled?
If you have too many, then IDS will be checking regardless and consuming lots of memory to do this.
Its best to have minimal list first then grow as you understand the lists you need and not enable all of them.
Also, why do you have it enabled on LAN?, usually its best to enable on WAN and check incoming issues rather than tracking outbound, lan clients can be very noisy and unless you have specific reasons to check you lan clients, best limit to rules that you want not parsing.
«
Last Edit: November 26, 2020, 04:40:48 pm by djbmister
»
Logged
JasMan
Full Member
Posts: 175
Karma: 9
Re: Memory usage grow during a constant traffic flow
«
Reply #2 on:
November 28, 2020, 02:48:37 pm »
I've about 58.000 rules enabled. That's a lot, I know. But it seems that they're not harming any other services like Netflix, Deezer or other connections which are using a constant bandwidth over a longer time.
I've enabled IDS/IPS on the LAN interface because I'm having several VLANs and interfaces. Therefore I want to scan the the traffic between them too.
My iPerf test run about two hours and there was no rising memory usage. So I guess it's a single rule which causes the issue during the SMB stream.
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
yeraycito
Sr. Member
Posts: 288
Karma: 18
Re: Memory usage grow during a constant traffic flow
«
Reply #3 on:
November 28, 2020, 04:33:52 pm »
https://forum.opnsense.org/index.php?topic=13445.0
Logged
JasMan
Full Member
Posts: 175
Karma: 9
Re: Memory usage grow during a constant traffic flow
«
Reply #4 on:
November 29, 2020, 02:55:44 pm »
Thank you for the How-To.
All values were already configured in the standard files as mentioned in your How-To.
I have only added the IP addresses of my hosts to the host-os-policy section, but that didn't helped.
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Memory usage grow during a constant traffic flow