Author Topic: Intrusion Detection preformance issue (Read 1468 times)

Joerg · « **on:** June 15, 2016, 11:05:48 am »

Hi,

I'm using the actual updated OPNsense on a ZOTAC-CI323nano cube. Configured physical WAN Interface and one LAN Interface with some VLANS.
So far the Performance is really great.
As soon I activate the Intrusion Detection IPS mode the download rate goes down by 30%.
The CPU load is below 20% then.
In case I activate the abuse.ch/* rules the Internet Connection will drop after a few minutes. In the alert tab I do not see any drop packets.

Any Idea or in which area I should look?

phoenix · « **Reply #1 on:** June 15, 2016, 11:08:44 am »

In my experience lack of RAM is usually the killer with IPS, how much RAM is on your system?

Joerg · « **Reply #2 on:** June 15, 2016, 11:26:31 am »

I'm using 8068 MB

I tested it again. starting a download will not raise the Memory usage wich is at 10%. It seem's that simply the WAN intreface Status says offline.

phoenix · « **Reply #3 on:** June 15, 2016, 11:31:33 am »

Quote from: Joerg on June 15, 2016, 11:26:31 am

I'm using 8068 MB

I guess that should be enough

Are you actually using it as an IDS or have you enabled IPS mode and how many rules are you checking and blocking (is it just the ones you mentioned earlier)? I've used this on an ESXi VM with 2GB of RAM without any great problems, I'm not a developer so I'm really just asking for a bit of clarification of what you're doing.

Joerg · « **Reply #4 on:** June 15, 2016, 11:38:13 am »

I just use the rulesets
abuse.ch/Dyre SSL IPBL
abuse.ch/Feodo Tracker
abuse.ch/SSL Fingerprint Blacklist
abuse.ch/SSL IP Blacklist

this of course loaded 2294 Rules.

Joerg · « **Reply #5 on:** June 16, 2016, 11:10:40 am »

So I just test it again.
As soon I activate IPS mode the WAN Interface will go offline in less than 4 minutes.

Are there some logfiles or settings which I can check?

jschellevis · « **Reply #6 on:** June 16, 2016, 11:22:20 am »

Just to be sure: Did you disable all hardware offloading?

If so it could be that the network chip is not very well supported by Netmap, can you tell us what network chip is in that device?

Joerg · « **Reply #7 on:** June 16, 2016, 01:24:19 pm »

So far I found out that there is an Realtek RTL8111/8168/8169/8411 chip inside. I found this in the Net so I can check when I'm home. Or is there a way to see that?

And of course I disable all Hardware offloading.

Joerg · « **Reply #8 on:** June 16, 2016, 01:31:22 pm »

This is the Output of the Log this morning in the GUI:

Jun 16 08:17:38 apinger: alarm canceled: VLAN11_USGW(192.168.2.1) *** down ***
Jun 16 08:17:37 apinger: alarm canceled: WANGW(MY-WANIP) *** down ***
Jun 16 08:17:10 apinger: ALARM: WANGW(MY-WANIP) *** down ***
Jun 16 08:12:17 apinger: alarm canceled: WANGW(MY-WANIP) *** down ***
Jun 16 08:09:34 apinger: ALARM: VLAN11_USGW(192.168.2.1) *** down ***
Jun 16 08:09:33 apinger: ALARM: WANGW(MY-WANIP) *** down ***

franco · « **Reply #9 on:** June 21, 2016, 09:16:01 pm »

Hi Jörg,

There were several threads where Realtek turned out to be a let down and only replacing the NICs helped amend the system, e.g.:

https://forum.opnsense.org/index.php?topic=2306

Cheers,
Franco

Author Topic: Intrusion Detection preformance issue (Read 1468 times)

Joerg

Intrusion Detection preformance issue

phoenix

Re: Intrusion Detection preformance issue

Joerg

Re: Intrusion Detection preformance issue

phoenix

Re: Intrusion Detection preformance issue

Joerg

Re: Intrusion Detection preformance issue

Joerg

Re: Intrusion Detection preformance issue

jschellevis

Re: Intrusion Detection preformance issue

Joerg

Re: Intrusion Detection preformance issue

Joerg

Re: Intrusion Detection preformance issue

franco

Re: Intrusion Detection preformance issue