OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: elektroinside on January 13, 2018, 01:52:46 pm

Title: IPS+ IDS performance
Post by: elektroinside on January 13, 2018, 01:52:46 pm
Another strange thing i noticed after upgrading to 18.1.r1:

With 18.1.r1, IDS+IPS enabled, download speed decreased to about half ~550Mbit/s. Disabling IDS+IPS i'm back to my full speed ~980Mbit/s
Same IDS+IPS rules, same everything, but with 17.7.11: ~980Mbit/s

IDS+IPS was up and running in both cases, as i could see my own rules being blocked, some other rules being blocked, exceptions being passed and so on...

This https://forum.opnsense.org/index.php?topic=6590.0 actually made things worse for me so i deleted the stuff i added (while i was on 17.7.11)...
Title: Re: IPS+ IDS performance
Post by: elektroinside on January 13, 2018, 03:16:58 pm
I'm also confident that the alerts reflected the reality, as it blocked eicar for example, or other wicar tests or other custom rules with both versions...
Title: Re: IPS+ IDS performance
Post by: franco on January 14, 2018, 03:44:24 pm
You can try to boot the 17.7 kernel and see if that is the cause:

# opnsense-update -kr 17.7.10 -n "17.7\/sets"

Running this will bring you back to the 18.1.r1 kernel:

# opnsense-update -k

(Don't forget the reboot in both cases)


Cheers,
Franco
Title: Re: IPS+ IDS performance
Post by: elektroinside on January 14, 2018, 05:00:31 pm
Nope.. same thing unfortunately...
Title: Re: IPS+ IDS performance
Post by: franco on January 14, 2018, 05:29:30 pm
That's good and bad at the same time. :o

Maybe the new NAT rule framework makes this slower? Although in that case IDS/IPS switching shouldn't matter.

Next thing would be to use the old Suricata binary on top of the 11.1 kernel:

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/17.7/MINT/17.7.11/OpenSSL/All/suricata-4.0.3.txz


Cheers,
Franco
Title: Re: IPS+ IDS performance
Post by: elektroinside on January 14, 2018, 06:38:48 pm
Nope.. this didn't help either.
Further more, i just noticed suricata eats a lot of CPU now, while speedtesting. Didn't noticed this before.
Take a look at the attached image.

I think, for some reason, the quad core 3.6Ghz i3-8100 is maxed out now, at least on one core, as 25% CPU corresponds to 1 core maxing out.

I think for some reason it worked with multi-core CPUs before, multiple threads maybe, but not anymore. Is this possible?
Title: Re: IPS+ IDS performance
Post by: elektroinside on January 14, 2018, 09:49:57 pm
Ok, this made me think, the CPU usage... for some reason i missed that promiscuous mode was enabled. This was the cause. Disabling it obviously fixed it :)

Apologies.
Title: Re: IPS+ IDS performance
Post by: franco on January 15, 2018, 12:47:28 pm
Whew, glad to hear that! 8)
Title: Re: IPS+ IDS performance
Post by: mimugmail on January 15, 2018, 04:29:03 pm
Perhaps something to put in dcol's sticky tuning guide?
Title: Re: IPS+ IDS performance
Post by: dcol on January 16, 2018, 11:38:43 pm
So far I only touched on tunables in the guide, but I updated to include other IPS settings. Thanks
Title: Re: IPS+ IDS performance
Post by: nines on February 07, 2018, 09:29:43 pm
having the same problem regarding the performance as long as IPS is enabled. I got 250/25Mbit in the past and now having max 150/25. Suricata process in top is using only one core - is this how it should be?

What else can I do to troubleshoot? As soon as I disable IPS its becomes fast as mentioned above

//Edit: sorry for complaining about opnsense - turned out that a debian VMs java process stresses the cpu really hard so all other VMs had no CPU cycles left for themselves
All is working fine - thanks for working so hard on opnsense!
Title: Re: IPS+ IDS performance
Post by: thg0432 on February 28, 2018, 05:53:55 pm
I'm having the same issue...I don't have Promiscuous mode selected and running 18.1.2_2.  I'm losing about 1/4 of my download speeds with it enabled.  CPU usage is next to nothing and my ram is using about 20%, so I don't see where the bottleneck would be hardware wise.  I used the instructions provided by the opnsense how-to docs.
Title: Re: IPS+ IDS performance
Post by: elektroinside on March 01, 2018, 12:17:55 pm
This should help: https://forum.opnsense.org/index.php?topic=6590.0

The tunables must be properly set though, according to your system. In other words, search the ones mentioned in dcol's post in your system and modify them as instructed.