I’m using suricata IDS mode with wazuh to block ddos attacks. It’s working but I noticed that the ip is blocked in iptables but the suricata is using 100% of the cpu.
Even blocked on iptables does suricata still process packets? If so, is there any way to change this behavior?
Can you give us more details?
What version are you running in which mode?
I would assume you use the nfqueue setup and thus you could use queue-bypass to ensure packets are still passed by if the queue is full. But would also be worth to check if the cpu load could be mitigated. But that would require more details.
I have been trying to find out about the excessive use of cpu in windows systems for some time.
There is a lot of difference in cpu usage between branches 5 and 6. With the same configuration and rules, Suricata 6 = almost 100% CPU, Suricata 5 = never exceeds 8 or 10% and normal is 2%.
Out of curiosity - Is it the same traffic as well? Same machines?
Yes, exactly. And on two different machines. In both I have installed branch 5 and it works very well. Both are Windows Server.