OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Julien on August 08, 2017, 01:53:32 am

Title: Intrusion Detection issue
Post by: Julien on August 08, 2017, 01:53:32 am

Hi Guys,
is this a normal behaviour see fotos the one with enabled intrusion and one without
when the intrusion is not enabled I reach a 1000Mbps/s and when its enables I reach a 20 Mbps/s

is this a normal that the ID kills all my speed?

Title: Re: Intrusion Detection issue
Post by: mimugmail on August 08, 2017, 05:48:39 am

It depends on your hardware, but yes it will slow down dramatically, so just enable the rules you really need to increase performance

Title: Re: Intrusion Detection issue
Post by: franco on August 08, 2017, 07:35:02 am

"kills all my speed" -- no, it shouldn't. this is too low.

Title: Re: Intrusion Detection issue
Post by: Julien on August 08, 2017, 06:03:48 pm

Quote from: mimugmail on August 08, 2017, 05:48:39 am

It depends on your hardware, but yes it will slow down dramatically, so just enable the rules you really need to increase performance

Any suggestions why ?
the HDD is I5/8GB Memory/120SSD Samsung Pro.
I don't believe this should be a issue at all.
when the Intrusion detection is on it uses like 30% of the memory and 7% of CPU and when I turn it off its used 3% CPU and 10% memory.

What do you mean with enable only the rules?

Title: Re: Intrusion Detection issue
Post by: bobbythomas on August 09, 2017, 09:47:08 am

Is it possible for you to do a iperf test? There are many public iperf servers available.

Regards,
Bobby Thomas

Title: Re: Intrusion Detection issue
Post by: Julien on August 09, 2017, 02:52:20 pm

Quote from: bobbythomas on August 09, 2017, 09:47:08 am

Is it possible for you to do a iperf test? There are many public iperf servers available.

Regards,
Bobby Thomas

I can't seem to find iperf
do I have to install this?
what are the commands to do so ?

Title: Re: Intrusion Detection issue
Post by: phoenix on August 09, 2017, 03:18:35 pm

If you want to do it from the firewall then you need to install it: pkg search iperf - you could always install it on a server (or PC) on your LAN.

Title: Re: Intrusion Detection issue
Post by: Ciprian on August 10, 2017, 03:19:56 pm

Quote from: Julien on August 08, 2017, 01:53:32 am

when the intrusion is not enabled I reach a 1000Mbps/s and when its enables I reach a 20 Mbps/s

is this a normal that the ID kills all my speed?

Is enabling/ disabling ID(P)S the only thing that you do in order to have these differences? It is way-way-way too much of a difference in throughput... :(

Title: Re: Intrusion Detection issue
Post by: xmichielx on August 11, 2017, 11:11:11 am

It does cap your bandwidth a lot with the old 3.* Suricata versions.
I tried the new 4.0 stable on my APU2C2 with Ubuntu 16.04 (PPA package) and it works much much better on something as the APU.
For example:

- OPNsense/PFsense Suricata 3.* with netmap : max 9-11 MB/s - where 17 MB/s is my normal max bandwidth
- Ubuntu 16.04 LTS with Suricata 4.0 with NFQ: max 14-16 MB/s - where 17 MB/s is my normal max bandwidth

Tried using a cabled host using gigabit with: 'wget 'ftp://ftp.nluug.nl/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-dvd1.iso' -O /dev/null'

My advise: wait for Suricata 4.* being embedded in OPNsense/PFsense.

See also; https://suricata-ids.org/category/release/ and especially:

'Under the Hood
A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.'

I know my setup is not a good test situation but I've tested a lot with Snort and Suricata inline and performance hits on my box and I really noticed a better performance.
See for yourself if it is worth the upgrade (also better detection is always welcome ;) )

Title: Re: Intrusion Detection issue
Post by: Julien on August 25, 2017, 03:53:00 pm

Quote from: xmichielx on August 11, 2017, 11:11:11 am

It does cap your bandwidth a lot with the old 3.* Suricata versions.
I tried the new 4.0 stable on my APU2C2 with Ubuntu 16.04 (PPA package) and it works much much better on something as the APU.
For example:

- OPNsense/PFsense Suricata 3.* with netmap : max 9-11 MB/s - where 17 MB/s is my normal max bandwidth
- Ubuntu 16.04 LTS with Suricata 4.0 with NFQ: max 14-16 MB/s - where 17 MB/s is my normal max bandwidth

Tried using a cabled host using gigabit with: 'wget 'ftp://ftp.nluug.nl/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-dvd1.iso' -O /dev/null'

My advise: wait for Suricata 4.* being embedded in OPNsense/PFsense.

See also; https://suricata-ids.org/category/release/ and especially:

'Under the Hood
A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.'

I know my setup is not a good test situation but I've tested a lot with Snort and Suricata inline and performance hits on my box and I really noticed a better performance.
See for yourself if it is worth the upgrade (also better detection is always welcome ;) )

thank you for your feed back.
i'll wait for the release of the V4,
does anybody knows the release date ?

Title: Re: Intrusion Detection issue
Post by: franco on August 25, 2017, 03:59:23 pm

There is a call for testing for Suricata 4.0.0, you can try it if you want.

But in any case, it will hit 17.7.1 next week.


Cheers,
Franco

Title: Re: Intrusion Detection issue
Post by: Julien on August 25, 2017, 04:01:28 pm

Quote from: franco on August 25, 2017, 03:59:23 pm

There is a call for testing for Suricata 4.0.0, you can try it if you want.

But in any case, it will hit 17.7.1 next week.


Cheers,
Franco

Thank you Franco,
i have found the link https://forum.opnsense.org/index.php?topic=5595.0;topicseen
i'll start the test on the LAB and report back in case of some errors.

Title: Re: Intrusion Detection issue
Post by: franco on August 25, 2017, 04:03:21 pm

Thanks Julien, feedback still very welcome! :)