OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.1 Legacy Series »
  • Intrusion Detection preformance issue
« previous next »
  • Print
Pages: [1]

Author Topic: Intrusion Detection preformance issue  (Read 4791 times)

Joerg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Intrusion Detection preformance issue
« on: June 15, 2016, 11:05:48 am »
Hi,

I'm using the actual updated OPNsense on a ZOTAC-CI323nano cube. Configured physical WAN Interface and one LAN Interface with some VLANS.
So far the Performance is really great.
As soon I activate the Intrusion Detection IPS mode the download rate goes down by 30%.
The CPU load is below 20% then.
In case I activate the abuse.ch/* rules the Internet Connection will drop after a few minutes. In the alert tab I do not see any drop packets.

Any Idea or in which area I should look?
Logged

phoenix

  • Hero Member
  • *****
  • Posts: 506
  • Karma: 55
    • View Profile
Re: Intrusion Detection preformance issue
« Reply #1 on: June 15, 2016, 11:08:44 am »
In my experience lack of RAM is usually the killer with IPS, how much RAM is on your system?
Logged
Regards


Bill

Joerg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: Intrusion Detection preformance issue
« Reply #2 on: June 15, 2016, 11:26:31 am »
I'm using 8068 MB

I tested it again. starting a download will not raise the Memory usage wich is at 10%. It seem's that simply the WAN intreface Status says offline.
« Last Edit: June 15, 2016, 11:33:01 am by Joerg »
Logged

phoenix

  • Hero Member
  • *****
  • Posts: 506
  • Karma: 55
    • View Profile
Re: Intrusion Detection preformance issue
« Reply #3 on: June 15, 2016, 11:31:33 am »
Quote from: Joerg on June 15, 2016, 11:26:31 am
I'm using 8068 MB
I guess that should be enough  :D

Are you actually using it as an IDS or have you enabled IPS mode and how many rules are you checking and blocking (is it just the ones you mentioned earlier)? I've used this on an ESXi VM with 2GB of RAM without any great problems, I'm not a developer so I'm really just asking for a bit of clarification of what you're doing.
Logged
Regards


Bill

Joerg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: Intrusion Detection preformance issue
« Reply #4 on: June 15, 2016, 11:38:13 am »
I just use the rulesets   
abuse.ch/Dyre SSL IPBL
abuse.ch/Feodo Tracker
abuse.ch/SSL Fingerprint Blacklist
abuse.ch/SSL IP Blacklist

this of course loaded 2294 Rules.
Logged

Joerg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: Intrusion Detection preformance issue
« Reply #5 on: June 16, 2016, 11:10:40 am »
So I just test it again.
As soon I activate IPS mode the WAN Interface will go offline in less than 4 minutes.

Are there some logfiles or settings which I can check?
Logged

jschellevis

  • Administrator
  • Full Member
  • *****
  • Posts: 155
  • Karma: 37
    • View Profile
Re: Intrusion Detection preformance issue
« Reply #6 on: June 16, 2016, 11:22:20 am »
Just to be sure: Did you disable all hardware offloading?

If so it could be that the network chip is not very well supported by Netmap, can you tell us what network chip is in that device?
Logged

Joerg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: Intrusion Detection preformance issue
« Reply #7 on: June 16, 2016, 01:24:19 pm »
So far I found out that there is an Realtek RTL8111/8168/8169/8411 chip inside. I found this in the Net so I can check when I'm home. Or is there a way to see that?

And of course I disable all Hardware offloading.  :P
Logged

Joerg

  • Newbie
  • *
  • Posts: 8
  • Karma: 0
    • View Profile
Re: Intrusion Detection preformance issue
« Reply #8 on: June 16, 2016, 01:31:22 pm »
This is the Output of the Log this morning in the GUI:

Jun 16 08:17:38 apinger: alarm canceled: VLAN11_USGW(192.168.2.1) *** down ***
Jun 16 08:17:37 apinger: alarm canceled: WANGW(MY-WANIP) *** down ***
Jun 16 08:17:10 apinger: ALARM: WANGW(MY-WANIP) *** down ***
Jun 16 08:12:17 apinger: alarm canceled: WANGW(MY-WANIP) *** down ***
Jun 16 08:09:34 apinger: ALARM: VLAN11_USGW(192.168.2.1) *** down ***
Jun 16 08:09:33 apinger: ALARM: WANGW(MY-WANIP) *** down ***
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13624
  • Karma: 1172
    • View Profile
Re: Intrusion Detection preformance issue
« Reply #9 on: June 21, 2016, 09:16:01 pm »
Hi Jörg,

There were several threads where Realtek turned out to be a let down and only replacing the NICs helped amend the system, e.g.:

https://forum.opnsense.org/index.php?topic=2306


Cheers,
Franco
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.1 Legacy Series »
  • Intrusion Detection preformance issue
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2