Suricata on WAN int; very low CPU usage; is it really doing anything?

[VEbzuT6X]

I've noticed Suricata's CPU usage rarely exceeds 3% when set to monitor just the WAN interface.

If I configure it to monitor LAN, or both LAN and WAN, (depending on throughput) Suricata's CPU usage can get >100%, which I guess I should expect to see?

I'm running the latest version of opnsense on an APU2C4.

Currently Suricata's conf'd to run on both WAN and LAN; here's an ifconfig output:

igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,TXCSUM_IPV6>

igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=5400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,NETMAP,TXCSUM_IPV6>

Thanks in advance.

[mimugmail]

Suricata wont inspect anything since HOME_NET are private IPs which wont exist on WAN

[VEbzuT6X]

If i'm understanding you correctly you're saying setting Suricara to monitor the WAN interface is pointless?

If it doesn't inspect HOME_NET addresses, why am I seeing so much more CPU usage when Suricata's conf'd to inspect LAN instead of WAN?

[xinnan]

That's very odd. I've definitely noticed Suricata inspecting, alerting and warning on the WAN in the past.  And blocking also.

Usually, its getting far fewer alerts when ran on a LAN (My experience), since if the firewall is doing its job at the wan and dropping a ton of uninvited connections Suricata monitoring the lan would never even see the traffic. 

[mimugmail]

It depends what rules are enabled.

Check /usr/local/etc/suricata/suricata.yaml for HOME_NET. For me it's
"[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

Then check your active rules in /usr/local/etc/suricata/opnsense.rules/

Let's check dshield.rules:

alert ip [94.102.49.0/24,191.101.167.0/24,77.72.82.0/24,5.188.86.0/24,5.188.203.0/24,77.72.85.0/24,185.70.184.0/24,80.82.77.0/24,141.212.122.0/24,5.188.10.0/24,185.129.148.0/24,205.209.159.0/24,196.52.43.0/24,181.214.87.0/24,71.6.146.0/24,125.212.217.0/24,45.55.19.0/24,38.142.98.0/24,104.236.191.0/24,5.101.40.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:4598;)

Since the flow goes TO HOME_NET this rule will never match when you don't specify you WAN IP addresses to HOME_NET.

[franco]

Some people also have HOME_NET on both sides of WAN and LAN, which is when most rules will not alert or drop, because it's an impossible condition as per !HOME_NET to HOME_NET.


Cheers,
Franco