Hello,
I have a small VPS (2C / 2GB) that acts mainly as a WireGuard hub-and-spoke. Since it also routes a lot of traffic to the Internet, I thought I’d install an IPS / IDS on it.
After installing suricata via apt install suricata
I found out that Suricata is using my VPS at 100% capacity. There are no rules loaded and the config file has not been changed, so my question is how can this be?
The VPS is based on KVM. The htop section shows that the CPU is not heavily loaded, but on the control page of my VPS I see that the CPU is at its limit.
Suricata-Version: 6.0.0.1
Thanks
First of all, you should update to a more updated version of the 6.0.x tree. Which distri and repo are you using in that case?
You could also run top
to check if htop
might be wrong. Also post the stats.log and suricata.log, since without the config being properly done there won’t be much to do for Suricata.
First of all thank you for looking at my problem.
I have now reinstalled Suricata 6.0.0.5 from the Debian (11) backports repo, it seems it fixed the problem.
My VPS manages up to 800 million OP/s, Suricata still takes 100 MOP/S though, which still seems a lot to me. Normally it is around 20 MOP/S.
This is the output of: cat /var/log/suricata.log
:
1/9/2022 -- 22:20:14 - <Notice> - This is Suricata version 6.0.5 RELEASE running in SYSTEM mode
1/9/2022 -- 22:20:14 - <Info> - CPUs/cores online: 2
1/9/2022 -- 22:20:14 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
1/9/2022 -- 22:20:14 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
1/9/2022 -- 22:20:14 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
1/9/2022 -- 22:20:14 - <Info> - Found an MTU of 1500 for 'eth0'
1/9/2022 -- 22:20:14 - <Info> - Found an MTU of 1500 for 'eth0'
1/9/2022 -- 22:20:14 - <Info> - fast output device (regular) initialized: fast.log
1/9/2022 -- 22:20:14 - <Info> - eve-log output device (regular) initialized: eve.json
1/9/2022 -- 22:20:14 - <Info> - stats output device (regular) initialized: stats.log
1/9/2022 -- 22:20:25 - <Info> - 1 rule files processed. 27888 rules successfully loaded, 0 rules failed
1/9/2022 -- 22:20:25 - <Info> - Threshold config parsed: 0 rule(s) found
1/9/2022 -- 22:20:26 - <Info> - 27891 signatures processed. 1207 are IP-only rules, 5139 are inspecting packet payload, 21346 inspect application layer, 104 are decoder event only
1/9/2022 -- 22:21:26 - <Info> - Going to use 2 thread(s)
1/9/2022 -- 22:21:27 - <Info> - Using unix socket file '/var/run/suricata-command.socket'
1/9/2022 -- 22:21:27 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.
1/9/2022 -- 22:21:27 - <Info> - All AFP capture threads are running.
And the output of: cat /var/log/suricata/stats.log
:
------------------------------------------------------------------------------------
Date: 9/1/2022 -- 22:41:11 (uptime: 0d, 00h 20m 57s)
------------------------------------------------------------------------------------
Counter | TM Name | Value
------------------------------------------------------------------------------------
capture.kernel_packets | Total | 39018
decoder.pkts | Total | 39021
decoder.bytes | Total | 16950426
decoder.ipv4 | Total | 19139
decoder.ipv6 | Total | 423
decoder.ethernet | Total | 39021
decoder.tcp | Total | 14082
decoder.udp | Total | 4847
decoder.icmpv4 | Total | 225
decoder.icmpv6 | Total | 408
decoder.avg_pkt_size | Total | 434
decoder.max_pkt_size | Total | 1506
flow.tcp | Total | 132
flow.udp | Total | 26
flow.icmpv4 | Total | 18
flow.icmpv6 | Total | 96
flow.wrk.spare_sync_avg | Total | 100
flow.wrk.spare_sync | Total | 4
decoder.event.tcp.opt_invalid_len | Total | 3
flow.wrk.flows_evicted | Total | 37
tcp.sessions | Total | 128
tcp.syn | Total | 132
tcp.synack | Total | 1
detect.alert | Total | 3
app_layer.flow.dns_tcp | Total | 1
app_layer.tx.dns_tcp | Total | 2
app_layer.flow.ntp | Total | 1
app_layer.tx.ntp | Total | 1
app_layer.flow.sip | Total | 1
app_layer.tx.sip | Total | 1
app_layer.flow.dns_udp | Total | 12
app_layer.tx.dns_udp | Total | 24
app_layer.flow.failed_udp | Total | 12
flow.mgr.full_hash_pass | Total | 5
flow.spare | Total | 9783
flow.mgr.rows_maxlen | Total | 2
flow.mgr.flows_checked | Total | 271
flow.mgr.flows_notimeout | Total | 88
flow.mgr.flows_timeout | Total | 183
flow.mgr.flows_evicted | Total | 183
tcp.memuse | Total | 1212416
tcp.reassembly_memuse | Total | 196608
flow.memuse | Total | 7474304
Well Suricata can be quite heavy on CPU usage. Although the stats.log doesn’t look like much traffic. Would be worth to check perf top -p $(pidof suricata)
output as well and check the diff of normal top
and htop
again.
Here are the outputs. I’m the last few days also no smarter what you can still do there. But I think that Suricata is disturbed by other services.
On the server are the following services running: WireGuard, Nftables, Prometheus, Chrony, Pihole, BInd9, Unbound
Wonder if this is related to Bug #4421: flow manager: using too much CPU during idle (6.0.x backport) - Suricata - Open Information Security Foundation
The fix for that just hit our master-6.0.x
branch, so perhaps you can give that a try.
Just as a remark, the package for Suricata installable via apt
usually requires the config file to be changed, since it hardcodes interface name eth0
and other things there that might not be correct for your system! That interface seems to work for you in principle as the stats suggest you see traffic there, but please do not assume that a vanilla installation will do what you want out of the box