Intrusion Detection

Started by raid3868, December 15, 2021, 10:07:16 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 15, 2021, 10:07:16 AM
Dear expert,

I have enable the IDS/IPS, when i ssh to my opnsense then top it show WCPU always consume 14%-15%, without any traffic. Is this normal when enable IDS/IPS?

    PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
63648 root                7  20    0       672M   311M nanslp   2   1:48  14.21% suricata


HOST DELL 740xd 20 CPUs x Intel(R) Xeon(R) Silver 4210 CPU @ 2.20GHz RAM 128 GB

Opnsense is vmguest with 8 vcpu and 16GB ram
network interface
10GB - internal with 2 vlan
1GB - external (WAN)

OPNsense 21.7.6-amd64
FreeBSD 12.1-RELEASE-p21-HBSD
OpenSSL 1.1.1l 24 Aug 2021


ids/ips configuration
------------------------
IPS mode=enable
Promiscuous mode=enable
Pattern matcher=Hyperscan
Interfaces=LAN
Rulesets=ET telemetry
Policies= All ET telemetry rulesets = alert and drop

log file show:
2021-12-15T16:45:43   suricata[63648]   [100369] <Notice> -- all 2 packet processing threads, 4 management threads initialized, engine started.


Tks

December 16, 2021, 07:03:54 AM #1
Hi

Today i do a clean install.
install iso download from opnsense site, OPNsense-21.7.1-OpenSSL-dvd-amd64.iso.
after configure everything necessary then configure Intrusion detection downlaod all policy and configure as previous. start IDS. check at console command top.

suricata WCPU = 0.13%-0.17% ( something around this ) Look ok with this cpu usage.

Then i update to the latest OPNsense 21.7.7-amd64 reboot
check at console command top

suricata WCPU = 13%-15% i think something wrong with the latest update.


Anyone with this issue?

Please help tying to put into production to replace current cyberoam.

tks


December 16, 2021, 09:52:38 AM #2 Last Edit: December 16, 2021, 10:18:36 AM by raid3868
hi

I try to revert to 21.7.3 problem still the same.
using this command opnsense-revert -r 21.7.3 opnsense

suricata WCPU = 13%-15%

No luck, do someone know what is happening? Or is like this when IDS/IPS is enable.

Do anyone know business edition have the issue?

Any know how to restore without restoring ids/ips configuration. i would like do a factory reset but do not want to restore the IDS/IPS configutation.


Tks
December 17, 2021, 05:14:20 AM #3
I found the issue. fix it don't is the right way, but suricata WCPU idle 1.3%-1.5%
Print
Go Up Pages1
User actions