OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • Intrusion Detection issue
« previous next »
  • Print
Pages: [1]

Author Topic: Intrusion Detection issue  (Read 6285 times)

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Intrusion Detection issue
« on: August 08, 2017, 01:53:32 am »
Hi Guys,
is this a normal behaviour see fotos the one with enabled intrusion and one without
when the intrusion is not enabled I reach a 1000Mbps/s and when its enables I reach a 20 Mbps/s

is this a normal that the ID kills all my speed?
« Last Edit: August 08, 2017, 01:59:26 am by Julien »
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

mimugmail

  • Hero Member
  • *****
  • Posts: 6289
  • Karma: 432
    • View Profile
Re: Intrusion Detection issue
« Reply #1 on: August 08, 2017, 05:48:39 am »
It depends on your hardware, but yes it will slow down dramatically, so just enable the rules you really need to increase performance
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13624
  • Karma: 1173
    • View Profile
Re: Intrusion Detection issue
« Reply #2 on: August 08, 2017, 07:35:02 am »
"kills all my speed" -- no, it shouldn't. this is too low.
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: Intrusion Detection issue
« Reply #3 on: August 08, 2017, 06:03:48 pm »
Quote from: mimugmail on August 08, 2017, 05:48:39 am
It depends on your hardware, but yes it will slow down dramatically, so just enable the rules you really need to increase performance
Any suggestions why ?
the HDD is I5/8GB Memory/120SSD Samsung Pro.
I don't believe this should be a issue at all.
when the Intrusion detection is on it uses like 30% of the memory and 7% of CPU and when I turn it off its used 3% CPU and 10% memory.

What do you mean with enable only the rules?
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

bobbythomas

  • Full Member
  • ***
  • Posts: 134
  • Karma: 5
    • View Profile
Re: Intrusion Detection issue
« Reply #4 on: August 09, 2017, 09:47:08 am »
Is it possible for you to do a iperf test? There are many public iperf servers available.

Regards,
Bobby Thomas
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: Intrusion Detection issue
« Reply #5 on: August 09, 2017, 02:52:20 pm »
Quote from: bobbythomas on August 09, 2017, 09:47:08 am
Is it possible for you to do a iperf test? There are many public iperf servers available.

Regards,
Bobby Thomas
I can't seem to find iperf
do I have to install this?
what are the commands to do so ?
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

phoenix

  • Hero Member
  • *****
  • Posts: 506
  • Karma: 55
    • View Profile
Re: Intrusion Detection issue
« Reply #6 on: August 09, 2017, 03:18:35 pm »
If you want to do it from the firewall then you need to install it: pkg search iperf - you could always install it on a server (or PC) on your LAN.
Logged
Regards


Bill

hutiucip

  • Sr. Member
  • ****
  • Posts: 284
  • Karma: 49
    • View Profile
Re: Intrusion Detection issue
« Reply #7 on: August 10, 2017, 03:19:56 pm »
Quote from: Julien on August 08, 2017, 01:53:32 am

when the intrusion is not enabled I reach a 1000Mbps/s and when its enables I reach a 20 Mbps/s

is this a normal that the ID kills all my speed?

Is enabling/ disabling ID(P)S the only thing that you do in order to have these differences? It is way-way-way too much of a difference in throughput... :(
Logged

xmichielx

  • Newbie
  • *
  • Posts: 44
  • Karma: 0
    • View Profile
Re: Intrusion Detection issue
« Reply #8 on: August 11, 2017, 11:11:11 am »
It does cap your bandwidth a lot with the old 3.* Suricata versions.
I tried the new 4.0 stable on my APU2C2 with Ubuntu 16.04 (PPA package) and it works much much better on something as the APU.
For example:

- OPNsense/PFsense Suricata 3.* with netmap : max 9-11 MB/s - where 17 MB/s is my normal max bandwidth
- Ubuntu 16.04 LTS with Suricata 4.0 with NFQ: max 14-16 MB/s - where 17 MB/s is my normal max bandwidth

Tried using a cabled host using gigabit with: 'wget 'ftp://ftp.nluug.nl/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-dvd1.iso' -O /dev/null'

My advise: wait for Suricata 4.* being embedded in OPNsense/PFsense.

See also; https://suricata-ids.org/category/release/ and especially:

'Under the Hood
A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.'

I know my setup is not a good test situation but I've tested a lot with Snort and Suricata inline and performance hits on my box and I really noticed a better performance.
See for yourself if it is worth the upgrade (also better detection is always welcome ;) )
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: Intrusion Detection issue
« Reply #9 on: August 25, 2017, 03:53:00 pm »
Quote from: xmichielx on August 11, 2017, 11:11:11 am
It does cap your bandwidth a lot with the old 3.* Suricata versions.
I tried the new 4.0 stable on my APU2C2 with Ubuntu 16.04 (PPA package) and it works much much better on something as the APU.
For example:

- OPNsense/PFsense Suricata 3.* with netmap : max 9-11 MB/s - where 17 MB/s is my normal max bandwidth
- Ubuntu 16.04 LTS with Suricata 4.0 with NFQ: max 14-16 MB/s - where 17 MB/s is my normal max bandwidth

Tried using a cabled host using gigabit with: 'wget 'ftp://ftp.nluug.nl/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-dvd1.iso' -O /dev/null'

My advise: wait for Suricata 4.* being embedded in OPNsense/PFsense.

See also; https://suricata-ids.org/category/release/ and especially:

'Under the Hood
A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.'

I know my setup is not a good test situation but I've tested a lot with Snort and Suricata inline and performance hits on my box and I really noticed a better performance.
See for yourself if it is worth the upgrade (also better detection is always welcome ;) )

thank you for your feed back.
i'll wait for the release of the V4,
does anybody knows the release date ?
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13624
  • Karma: 1173
    • View Profile
Re: Intrusion Detection issue
« Reply #10 on: August 25, 2017, 03:59:23 pm »
There is a call for testing for Suricata 4.0.0, you can try it if you want.

But in any case, it will hit 17.7.1 next week.


Cheers,
Franco
Logged

Julien

  • Hero Member
  • *****
  • Posts: 651
  • Karma: 32
    • View Profile
Re: Intrusion Detection issue
« Reply #11 on: August 25, 2017, 04:01:28 pm »
Quote from: franco on August 25, 2017, 03:59:23 pm
There is a call for testing for Suricata 4.0.0, you can try it if you want.

But in any case, it will hit 17.7.1 next week.


Cheers,
Franco
Thank you Franco,
i have found the link https://forum.opnsense.org/index.php?topic=5595.0;topicseen
i'll start the test on the LAB and report back in case of some errors.
Logged
An intelligent man is sometimes forced to be drunk to spend time with his fool.

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13624
  • Karma: 1173
    • View Profile
Re: Intrusion Detection issue
« Reply #12 on: August 25, 2017, 04:03:21 pm »
Thanks Julien, feedback still very welcome! :)
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • Intrusion Detection issue
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2