Archive > 15.7 Legacy Series
Suricata/OPNsense Questions
Supermule:
There is both pro's and con's of that.
If they could run on the same overall ruleset with individual boxes ticked then it would be awesome.
Otherwise it would have to run on 2 seperate instances consuming double the ressources depending on the ruleset boxes ticked.
Snort runs like that in pfsense and can comsume quite a lot on the smaller systems with limited ressources.
lucifercipher:
--- Quote from: franco on July 06, 2015, 12:30:31 pm ---Right now it complains of experimental support in libpcap using two interfaces in the same instance, but it runs. To enable intrusion prevention we need to migrate to ipfw or pf hooks, which takes care of that problem. If we have two instances, should they have completely separate configs?
--- End quote ---
Trust me on this. You don't want to run two different instances at the same time on moderate hardware. The preprocessors totally bog down the CPU. Besides, running on LAN side creates extra load on suricata daemon as devices on LAN always engage the preprocessors of IDS. The WAN is sufficient. Take an example, you have a LAN infection and your device is trying to communicate with Command & Control servers for Botnet, Malware, Adware, etc then outbound LAN connection also triggers an alert on the IDS.
True, ipfw is the way to go if IPS is under consideration. Or have like Barnyard + Snort with the current stable release for a total IPS solution.
Supermule:
Running on LAN will able you to take the infected host offline quickly. Running on WAN you only see the traffic src ahnd dest. IP which is the public one. Then you have to dig deeper to find the culprit.
Notice time here is of essence. The faster you find it, the better for everybody.
I run 2 instances of Snort on every single firewall that I have (46) to be precise for that exact reason.
They run as frontend and then I have a L7 able backend to sort traffic further based on rulesets and buzzwords before passed on to the servers.
lucifercipher:
--- Quote from: Supermule on July 06, 2015, 06:07:17 pm ---Running on LAN will able you to take the infected host offline quickly. Running on WAN you only see the traffic src ahnd dest. IP which is the public one. Then you have to dig deeper to find the culprit.
Notice time here is of essence. The faster you find it, the better for everybody.
I run 2 instances of Snort on every single firewall that I have (46) to be precise for that exact reason.
They run as frontend and then I have a L7 able backend to sort traffic further based on rulesets and buzzwords before passed on to the servers.
--- End quote ---
You are absolutely right. I clearly mentioned "moderate hardware" . I run 4 instances of IPS on every single appliance that i ship but thats on carrier grade 12 core machines with 32G of minimum RAM.
Supermule:
I actually tested it quite a lot in the case with SYN flooding and the sweet spot for pfsense/opnsense is 4 cores on the same socket and 4GB memory.
It performs damn well on that exact combo and dont ask me why.
Its like when you move across sockets something fucks up pf and the whole route of packets and the attached CPU's does a bad job spreading the load.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version