OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: Tugdualenligne on May 10, 2020, 01:12:41 pm

Title: Samba (smb) with slow speeds because of Suricata
Post by: Tugdualenligne on May 10, 2020, 01:12:41 pm

Everything is in the subject of this message.
Can someone please explain how to protect Samba (port 445 TCP) with Suricata, while not slowing too much the network speeds? What rules do you activate / deactivate? My network is 100% Linux and MacOsx with Gb interfaces and switches, which deliver great speeds when Suricata is off.
Suricata IDS/IPS are active on LAN, WLAN and DMZ interfaces, working great but slowing in particular SMB flows. Rest of traffic do not appear to slow down, or, at least, this is not noticeable.
Many thanks in advance

Title: Re: Samba (smb) with slow speeds because of Suricata
Post by: dave on May 10, 2020, 05:15:22 pm

Someone with a deeper understanding of this may be able to provide a better answer, but in short I suspect it's because SMB traffic isn't encrypted by default, meaning Suricata can run DPI on it, hence the slowdown.

You're not seeing a similar slowdown in throughput elsewhere because Suricata's not touching most of you network traffic, which is likely encrypted (especially web traffic).

For packages such as Snort and Suricata to work properly you need to implement SSL inspection, which is essentially a man-in-the-middle attack.

For example, one of your endpoints (Mac, Linux, whatever) tries to contact an HTTPS site:
- NAT intercepts this request and routes it in to Squid.
- Using a cert authority you configure within opnsense Squid creates two encrypted sessions: one between itself and the endpoint; the other between itself and the site.
- Squid is now sat-in-the-middle, with unencrypted traffic flowing through it, providing a window during which Suricata can inspect traffic.

This is CPU intense stuff, so I believe you can expect a reduction in throughput.

If you have SSL inspection set up, you're probably not seeing the same degree of slowdown because Suricata's not having to churn through similar sized files in other network traffic.

Just a guess.

Title: Re: Samba (smb) with slow speeds because of Suricata
Post by: Tugdualenligne on May 10, 2020, 11:38:51 pm

Thanks for your response.
That might not be my ideal solution (i.e. encrypting smb traffic internally), but I’ll look into it

Any other idea gents?

Title: Re: Samba (smb) with slow speeds because of Suricata
Post by: JasMan on June 07, 2020, 02:14:00 pm

Hey,
Same issue here.

I've opened a new thread: https://forum.opnsense.org/index.php?topic=17572.0 (https://forum.opnsense.org/index.php?topic=17572.0)
Not exactly what you are searching for, but maybe it's helpful for you too.

Jas