Good Day Everyone,
I have been trying to wrap my head around the Intrusion Detection system. I have attached screenshots of the configuration that I have instead of trying to explain it all. The long and the short of it is that when I have Intrusion Detection/Intrusion Prevention enabled I see the throughput of my WAN drop from 550ish to 480 or so.
I have attached screenshots of everything I can think of. Is the IDS system just that much of a power hog? If so perhaps the system requirements page needs an update to reflect this because from my understanding I should be running a lot better than I am. I do know I'm a little light on RAM that is being addressed tomorrow when my order shows up (I hope). For the observant among you this is a virtualized install with a passed through Intel dual gigabit nic.
Thanks in advance,
~T
Did you disable all hardware offloading as the help on the IPS line warns you to do before enabling?
The short answer is yes....
But in the end it depends on the hardware at hand.
Quote from: vico1959 on November 11, 2022, 11:49:08 PM
Did you disable all hardware offloading as the help on the IPS line warns you to do before enabling?
Yes I did
Quote from: Supermule on November 11, 2022, 11:54:38 PM
The short answer is yes....
But in the end it depends on the hardware at hand.
Can you elaborate? It has 10 cores of a dual e5-2450v2 setup which turbos to 2.5 ghz. Is surricata single threaded? If so that would explain why throwing more cores at it doesn't seem to be really helping.
Okay so other than memory use being a bit higher than I like, the rest of the hardware in that performance chart seems to be doing okay but that chart doesn't really show disk performance. If you are using a standard HD then you might try an SSD instead and see if that will help the swap file performance and therefore help your overall performance throughput. As a comparison, I am running a dedicated standalone hardware box with an i5-7400, which is only 4 cores at 3.0 GHz, 8GB of RAM and an SSD and my Internet speed is only 300/35 but I am getting the full speed with IPS enabled. It may be that there is a cap on max throughput that the software package can handle? It may be that the extra layer of running a virtualized box may have an impact? Have you heard what anyone else with a faster Internet speed is getting in comparison to you?
Once you have enough RAM, another performance tuning option you can select is to change the detect profile to HIGH.
Services > Intrusion Detection > Administration
(enable advanced mode to "Detect Profile"
Also, BIOS settings are very important.
Disable P states, disable C states, disable Turbo boost.
Oh rats, I didn't read your post very well, I see you are virtualised.
You would need to make those BIOS changes on the hosts for the C/P states and turbo boost, but those changes will help all VMs anyway.