Hallo
I am currently running a setup with a Intel Xeon E3-1220 v6 and Asus P10S-I Mainboard. The maximum IPS throughput is around 80 MB/sec (testet with iperf3). That is with 46502 drop rules. I have already disabled Flow control, energy efficient ethernet.......
While testing i have noticed that Suricata is utilizing a single core for a single interface. Is ist possible to optimize this behaviour? 1Gb IPS Throughput would be nice.
Or:
Which CPU is able to achieve this performance?
80MB/s is around 700Mbit .. isn't this good? :)
If you really need this throughput why not investing time tweaking the rules?
I'm quite sure 20000 rules are from 2015 and not affecting your systems ..
You need a high clock rate, i3 with 4Ghz might be faster than E3 with 2Ghz and more cores.
Quick Update:
I testet with different hardware again:
Xeon E-2236
Asus P11C-M/4L
4x M391A1K43BB2-CTD
Same Results. The Xeon E-2236 with a much higher turbo clock speed is not that faster (around 4-5 MB faster)
corection:
The Xeon E-2236 was not using turbo. Now Gigabit Throughput is reached.
Quote from: mimugmail on March 05, 2020, 09:34:23 AM
80MB/s is around 700Mbit .. isn't this good? :)
If you really need this throughput why not investing time tweaking the rules?
I'm quite sure 20000 rules are from 2015 and not affecting your systems ..
You need a high clock rate, i3 with 4Ghz might be faster than E3 with 2Ghz and more cores.
It might be a good idea to be able to configure the rules having them grouped by technology or date. For example if you usually patch you system maybe you can discard all the rules related with software vulnerabilities older that 1 year.
If pfsense many useful features are exposed in the interface like
https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html#define-servers-to-protect-and-improve-performance
https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html#select-which-types-of-signatures-will-protect-the-network
The 90% of the stuff in https://docs.netgate.com/pfsense/en/latest/ids-ips/index.html#snort are not available in opnsense and basically you have similar options available in suricata to be exposed.
https://www.youtube.com/watch?v=KRlbkG9Bh6I
I patch my systems regularly. In theory, I don't need an IPS. However, it was interesting to find out what hardware is required to achieve gigabit throughput. Independent of large rule optimizations.
This benchmark has helped to scale systems better to the requirements.
Now I know that the Xeon E-2236 has the necessary performance to run Suricata almost without compromise. I have not yet tested how 10Gbit with a reduced number of rulesets is possible.