OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: Ciprian on March 21, 2018, 12:53:05 pm

Title: Call for testing a particular ruleset: abuse.ch/SSL Fingerprint Blacklist
Post by: Ciprian on March 21, 2018, 12:53:05 pm

When I enable to block abuse.ch/SSL Fingerprint Blacklist ruleset in IPS mode the SSL/TLS encrypted sites speed drops bellow 100 Mbs (out of 450 Mbps).

Only encrypted traffic is affected (understandable, somehow, if you pay attention to the name of the ruleset). The tests I made repeatedly and leading to the same conclusion for me are:

Test 1

• Enable IPS, and enable to block abuse.ch/SSL Fingerprint Blacklist.
• Access http://www.dslreports.com/speedtest/ and perform a test.
• Access https://www.dslreports.com/speedtest/ and perform a test. (Click on ”use https” in the test frame of the page.)
• Compare the results.

Test 2

• Enable IPS, and enable to block abuse.ch/SSL Fingerprint Blacklist.
• Access https://testmy.net/ and perform a test.
• Disable abuse.ch/SSL Fingerprint Blacklist.
• Repeat the speed test at https://testmy.net/
• Compare the results.

If it's not only me, then you should have a huge difference between http tests speed and https tests speed, and respectively, a huge difference between https tests speed performed with and without the ruleset enabled if and only if your connection is > 200 Mbps.

Barely noticeable, since most speed tests default to http (unencrypted) so that the speed test is unaffected by the ruleset, but all the secured/ encrypted https sites/ apps are slow/ sluggish when accessed from any end-device.

Please, write here about your findings.

Title: Re: Call for testing a particular ruleset: abuse.ch/SSL Fingerprint Blacklist
Post by: dcol on March 22, 2018, 11:36:54 pm

Did both tests and saw negligible differences. I suppose the hardware along with how many other rules you have enabled would play a huge factor in the results. I ran the tests on an HP system with i5-3540, i340-T4, and 8GB memory with 10 ET rulesets enabled and 10 custom rules.

The only way to get an accurate comparison is to enable all the same rules that you use with similar hardware.

I don't use that SSL ruleset and use mostly custom rules for IDS/IPS. If you had a lot of rules enabled besides the one in the test there could be a threshold point where your system cannot process that many rules without sacrificing some performance. My rule of thumb is, only use the rules you really need for maximum performance.

Title: Re: Call for testing a particular ruleset: abuse.ch/SSL Fingerprint Blacklist
Post by: elektroinside on March 23, 2018, 06:21:59 am

This is mine with the rules enabled (and set to drop): http://www.dslreports.com/speedtest/31261479

I get way better results with HTTP, and if nothing changed, we have the same ISP and link (speed-wise). But this might be normal (?).