<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
</head><body><p>Hi Chris<br></p><p>May be you should liaise with the third party to see if there is a nice GUI based option to make all the changes you want to the yaml file?<br></p><p>Amar<br></p><blockquote type="cite">On April 10, 2016 at 11:35 AM Chris Boley <ilgtech75@gmail.com> wrote:<br><br><div dir="ltr"><div><div>Greetings to the oisf group. Apologies in advance. This is long winded..<br>I have been reading great info from this list for quite some time. <br>Thanks for that most importanly!<br><br> I'm tuning an IPS that is monitoring an 8021q link. <br>The link exists between a cisco catalyst 3750G and a cisco c2821 with subinterfaces.<br>The cisco router operates in 'router on a stick' architecture with HSRP between the vlan interfaces<br>on the switch and the dot1q subinterfaces on the router for redundancy.<br><br>I've read lots of Eric Leblond's blog info and Peter Manev's blogs. There's stuff in my<br>config's/ideas from their blogs. The overall config package is actually from a <br>3rd party but performance is not what I need it to be so far. I'm very 'hands on' and<br>want to effect as much positive change to the performance of the system as possible.<br><br>My objective is to ignore intra site traffic completely while scanning all traffic between the wan<br>and the local LAN. I'm using a somewhat underpowered server out of necessity.<br><br> It's an 4 core atom running 2.4 ghz cores and 8Gb of RAM. It has 4 intel nics's running igb driver.<br>{Ram can be upgraded if you guys recommend. No problem!} I'm planning to upgrade to an 8 core atom.<br>Software platform is Ubuntu.. <br><br>First, I tried to divert LAN2LAN traffic around suricata completely since I don't want to scan intra lan traffic.<br>My experience using IPTABLES is quite limited so I muttled through that. <br>I cobbled what you see below together for chains that would pass the proper traffic and move the other traffic<br> to the scanning engine.This seems to work but I'm not even sure if I did the rules in the most efficient / correct way?<br><br>Second, I tried to add in -q 0 -q 1 -q 2 -q 3 to the startup command. <br>Also adding --queue-balance 0:3 to the nfqueue iptables command.<br>Is that buying me any performance?<br><br>Other than rule tuning I'm still looking for ways to tune the IPS that will speed things up.<br>I find that it's working but things are only being processed at a maximum of 4 megabit<br>on a 40 megabit internet connection. I'm sure that Out of Order packet reassembly is a big<br>player in this area and I'm curious to know how to optimize that. <br><br>It seems as if I am going to have to add more RAM for stream reassembly and change values for key values.<br>I'm trying to tune the config to facilitate the scanning speeds of at least 37-40 Megabit..<br> I had to assume that the 3rd party setup is fairly "vanilla". Especially seeing it only handle 4 megabit inline.<br><br>I read some good documentation here from Peter:<br><a href="http://pevma.blogspot.com/2014/08/suricata-flows-flow-managers-and-effect.html">http://pevma.blogspot.com/2014/08/suricata-flows-flow-managers-and-effect.html</a><br><br>I'm not exactly sure how I can apply those ideas to my link and hardware package.<br>I'm looking for words of wisdom there.<br><br>Can anyone recommend a place or URL I can find that would help me <br>understand the key values to insert into my startup command?<br>I plan to use --set commands on the startup script. It's easy to backup upon upgrade.<br></div>I'm trying hard to avoid modifying the 3rd party suricata.yaml. <br>I'm assuming it'll break if we upgrade the appliance via their canned script. <br></div><br>I'm sure I need to manipulate my memcaps, and reassembly values.<br><div><div>Also, I don't understand threading really well and how it relates to the -q 0 -q 1 -q 2 -q 3<br>settings on the suricata start command. I'll shut up now and ask for suggestions.<br>You'll find most of the pertinent settings listed below and some of my ideas.<br>Any questions, suggestions and feedback are welcome!<br>Thank you!<br><br>3rd party "suricata --dump-config" *This is what's currently in there.<br><br>default-log-dir = /var/log/suricata/<br>outputs = (null)<br>outputs.0 = unified2-alert<br>outputs.0.unified2-alert = (null)<br>outputs.0.unified2-alert.enabled = yes<br>outputs.0.unified2-alert.filename = unified2.alert<br>outputs.1 = file-store<br>outputs.1.file-store = (null)<br>outputs.1.file-store.enabled = yes<br>outputs.1.file-store.log-dir = /root/filestore<br>outputs.1.file-store.force-magic = no<br>outputs.1.file-store.force-md5 = no<br>detect-engine = (null)<br>detect-engine.0 = profile<br>detect-engine.0.profile = medium<br>detect-engine.1 = rule-reload<br>detect-engine.1.rule-reload = true<br>detect-engine.2 = delayed-detect<br>detect-engine.2.delayed-detect = yes<br>vlan = (null)<br>vlan.use-for-tracking = true<br>app-layer = (null)<br>app-layer.protocols = (null)<br>app-layer.protocols.tls = (null)<br>app-layer.protocols.tls.enabled = yes<br>app-layer.protocols.tls.detection-ports = (null)<br>app-layer.protocols.tls.detection-ports.dp = 443<br>app-layer.protocols.dcerpc = (null)<br>app-layer.protocols.dcerpc.enabled = yes<br>app-layer.protocols.ftp = (null)<br>app-layer.protocols.ftp.enabled = yes<br>app-layer.protocols.ssh = (null)<br>app-layer.protocols.ssh.enabled = yes<br>app-layer.protocols.smtp = (null)<br>app-layer.protocols.smtp.enabled = yes<br>app-layer.protocols.imap = (null)<br>app-layer.protocols.imap.enabled = detection-only<br>app-layer.protocols.msn = (null)<br>app-layer.protocols.msn.enabled = detection-only<br>app-layer.protocols.smb = (null)<br>app-layer.protocols.smb.enabled = yes<br>app-layer.protocols.smb.detection-ports = (null)<br>app-layer.protocols.smb.detection-ports.dp = 139<br>app-layer.protocols.dns = (null)<br>app-layer.protocols.dns.tcp = (null)<br>app-layer.protocols.dns.tcp.enabled = yes<br>app-layer.protocols.dns.tcp.detection-ports = (null)<br>app-layer.protocols.dns.tcp.detection-ports.dp = 53<br>app-layer.protocols.dns.udp = (null)<br>app-layer.protocols.dns.udp.enabled = yes<br>app-layer.protocols.dns.udp.detection-ports = (null)<br>app-layer.protocols.dns.udp.detection-ports.dp = 53<br>app-layer.protocols.http = (null)<br>app-layer.protocols.http.enabled = yes<br>magic-file = /usr/share/file/magic<br>nfq = (null)<br>nfq.mode = repeat<br>nfq.repeat-mark = 1<br>nfq.repeat-mask = 1<br>threading = (null)<br>threading.detect-thread-ratio = 1<br>logging = (null)<br>logging.default-log-level = info<br>logging.default-output-filter =<br>logging.outputs = (null)<br>logging.outputs.0 = console<br>logging.outputs.0.console = (null)<br>logging.outputs.0.console.enabled = yes<br>logging.outputs.1 = file<br>logging.outputs.1.file = (null)<br>logging.outputs.1.file.enabled = yes<br>logging.outputs.1.file.filename = /var/log/suricata.log<br>default-rule-path = /var/lib/cs-apd<br>rule-files = (null)<br>rule-files.0 = suricata.rules<br>classification-file = /var/lib/cs-apd/classification.config<br>reference-config-file = /var/lib/cs-apd/reference.config<br>vars = (null)<br>vars.address-groups = (null)<br>vars.address-groups.HOME_NET = <a href="http://10.250.104.0/24,10.250.105.0/24,10.0.104.0/27">10.250.104.0/24,10.250.105.0/24,10.0.104.0/27</a><br>vars.address-groups.ENIP_SERVER = $HOME_NET<br>vars.address-groups.MODBUS_CLIENT = $HOME_NET<br>vars.address-groups.TELNET_SERVERS = $HOME_NET<br>vars.address-groups.MODBUS_SERVER = $HOME_NET<br>vars.address-groups.DNP3_CLIENT = $HOME_NET<br>vars.address-groups.FTP_SERVERS = $HOME_NET<br>vars.address-groups.DNS_SERVERS = $HOME_NET<br>vars.address-groups.SNMP_SERVERS = $HOME_NET<br>vars.address-groups.SQL_SERVERS = $HOME_NET<br>vars.address-groups.ENIP_CLIENT = $HOME_NET<br>vars.address-groups.HTTP_SERVERS = $HOME_NET<br>vars.address-groups.SMTP_SERVERS = $HOME_NET<br>vars.address-groups.EXTERNAL_NET = any<br>vars.address-groups.DNP3_SERVER = $HOME_NET<br>vars.port-groups = (null)<br>vars.port-groups.ORACLE_PORTS = 1521<br>vars.port-groups.SHELLCODE_PORTS = !80<br>vars.port-groups.DNP3_PORTS = 20000<br>vars.port-groups.HTTP_PORTS = [80,8080]<br>vars.port-groups.SSH_PORTS = 22<br>vars.port-groups.FTP_PORTS = 21<br>action-order = (null)<br>action-order.0 = pass<br>action-order.1 = drop<br>action-order.2 = reject<br>action-order.3 = alert<br>--------------------------------------------------------------------------------------------------------------------------------------------<br>Interfaces<br>-----------------------------------------------------------------------------------------------------------------------------------------<br></div><div>** Note I also have interface tuning scripts that run on the bridge interface to disable the IF offloading.<br></div><div><br>auto lo<br>iface lo inet loopback<br><br>auto eth0<br>iface eth0 inet static<br> address x.x.x.x<br> netmask x.x.x.x<br> gateway x.x.x.x<br> dns-nameservers x.x.x.x x.x.x.x<br> dns-search x<br><br>auto eth2<br>iface eth2 inet manual<br> pre-up modprobe 8021q<br> post-up ifconfig $IFACE up<br> pre-down ifconfig $IFACE down<br><br>auto eth3<br>iface eth3 inet manual<br> post-up ifconfig $IFACE up<br> pre-down ifconfig $IFACE down<br><br>auto br0<br> iface br0 inet static<br> address 0.0.0.0<br> netmask 255.255.255.255<br> bridge_ports eth2 eth3<br> bridge_stp on<br> up /sbin/ifconfig $IFACE up || /sbin/true<br> post-up ifconfig eth2 mtu 1500<br> post-up ifconfig eth3 mtu 1500<br> post-up ethtool -s eth2 autoneg off speed 1000 duplex full<br> post-up ethtool -s eth3 autoneg off speed 1000 duplex full<br> <br><br>--------------------------------------------------------------------------------------------------------------------------<br>iptables/netfilter Suggestions here would be great if I'm botching something up.<br>--------------------------------------------------------------------------------------------------------------------------<br>iptables -I FORWARD -s <a href="http://10.250.104.0/24">10.250.104.0/24</a> ! -d <a href="http://10.250.104.0/24">10.250.104.0/24</a> -j NFQUEUE --queue-balance 0:3<br>iptables -A FORWARD -m physdev --physdev-in eth2 -j ACCEPT<br>iptables -A FORWARD -m physdev --physdev-in eth3 -j ACCEPT<br><br>iptables -I INPUT -i lo -j ACCEPT<br>iptables -I INPUT -i eth0 -j ACCEPT<br>iptables -I INPUT ! -s <a href="http://10.250.104.0/24">10.250.104.0/24</a> -j NFQUEUE --queue-balance 0:3<br><br>iptables -A OUTPUT -m physdev --physdev-in eth2 -j ACCEPT<br>iptables -A OUTPUT -m physdev --physdev-in eth3 -j ACCEPT<br>iptables -A OUTPUT -o lo -j ACCEPT<br>iptables -A OUTPUT -o eth0 -j ACCEPT<br>------------------------------------------------------------------------------------------------------------------------------------------------------------<br>current startup:<br>suricata -q 0 -q 1 -q 2 -q 3 -c /etc/suricata/suricata.yaml -D -v <br>------------------------------------------------------------------------------------------------------------------------------------------------------------<br>Here are some things I was considering changing: <br><br>Possible changes that would buy me more filter speed by designating specific traffic to scan.<br>*Add in berkeley packet filtering.<br><br>bpf_file would contain:<br><br>)<br>(ip and port 20 or 21 or 22 or 25 or 110 or 161 or 443 or 445 or 587 or 53)<br>or ( ip and tcp dst port 80 or (ip and tcp src port 80 and<br>(tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or<br>tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))))<br>or<br>((vlan and port 20 or 21 or 22 or 25 or 110 or 161 or 443 or 445 or 587 or 53)<br>or ( vlan and tcp dst port 80 or (vlan and tcp src port 80 and<br>(tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or<br>tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)))<br>)<br>-----------------------------------------------------------------------------------------------------------------------------------------------------------------<br>Considering starting suricata like this:<br>suricata -q 0 -q 1 -q 2 -q 3 -c /etc/suricata/suricata.yaml --af-packet=br0 -D -v -F /home/ipsadmin/netfilt/bpf_file<br><br>Thanks again,<br>Any key values I can tune or finding a place to learn more about tuning them would be most appreciated!!<br><br>Chris<br><br></div></div></div>_______________________________________________<br>Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br>Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net</blockquote><p><br> </p><div class="io-ox-signature"><p>Kind regards<br></p><p>Amar Rathore</p><p>CounterSnipe Systems LLC <br>Tel: +1 617 701 7213 <br>Mobile: +44 (0) 7876 233333 <br>Skype ID: amarrathore <br>Web: www.countersnipe.com <http://www.countersnipe.com/> <br><br></p><p><span style="font-size: 8pt;">This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.</span></p><p><span style="font-size: 8pt;">E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions.</span> <br></p></div></body></html>