Suricata CPU High Load Solution

I have a low specs proxy server in the cloud with 1 CPU, 1GB Ram which act as a connector between my firewall/router and VPN provider.

This proxy server was getting cyber attacks from unknown sources and the proxy server relay this traffic to my firewall as normal traffic.

My home firewall has a special software called IPS Suricata which receive these attacks and thinks that the proxy is the machine which perform the attacks and block it and that action makes my VPN restart on the firewall and disturb my internet connection.

This behaviour happens frequently, so i decided to install Suricata on my proxy server to defend itself and prevent such traffic to arrive to my home firewall.

After installing Suricata on my proxy server i faced a CPU utilization problem. Suricata at first will perform fine and the CPU utilization will be low, then after awhile for unknown reasons the CPU goes to 99% and that will cause speed downgrade on my home firewall cause i’m tunneled throw that proxy server.

After two days troubleshooting, i decided to write a monitor script to act on my behalf, if the Suricata CPU goes beyond certain threshold the script will kill the process and restart the service immediately.

After deploying that script and run it as daemon, the problem is solved and the internet became stable at my home and the attacks disappeared.

Suricata Installation & Optimization Guidelines (For Starters)

To avoid repeating the documentation for installation and optimization i will index here the basic resources which i used to setup Suricata on Linux Debian.

My CPU Monitor Script

THERSHOLD=75

echo "Press [CTRL+C] to stop.."
while :
do
        TIMESTAMP=$(date +%s)
        SURICATA_PID=`ps -aux | grep "suricata -c /etc/suricata/suricata.yaml -q 0" | grep -v grep | awk '{print $2}' | tail -n 1`

        if [ -z "$SURICATA_PID" ]
        then
                echo "$TIMESTAMP: Starting Suricata Engine"
                suricata -c /etc/suricata/suricata.yaml -q 0 &
                sleep 2
                continue
        fi

        SURICATA_CPU=`top -b -n 2 -d 0.2 -p $SURICATA_PID | tail -1 | awk '{print $9}'`
        printf -v SURICATA_CPU %.0f "$SURICATA_CPU"

        if [ $SURICATA_CPU -lt $THERSHOLD ]; then
                echo "$TIMESTAMP:  PID: $SURICATA_PID - CPU:$SURICATA_CPU (FINE)"
        else
                echo "$TIMESTAMP: PID: $SURICATA_PID - CPU:$SURICATA_CPU (CRITICAL)"
                 kill -9 $SURICATA_PID
                 echo "$TIMESTAMP: Suricata Process Killed"
        fi
        sleep 1
done

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: