Messages

1

21.7 Legacy Series / Re: 21.7.1 - GUI performance now slow to populate in Intrusion Detection area

« on: August 12, 2021, 10:19:34 pm »

Great leo1d.  After you posted this, I decided to check on mine.  Have the same issue.  I'm going to use your method and see  what happens.  I don't modify that many rules, so I'm see the areas you pointed out.

Ok, I was able to get my performance back 100%.

I think the issue was with the Non-Free/PT Research and Snort-VRT rule sets.   I'm only using the abuse.ch and ET telemetry rules.  I can create policies, no issues.

What worked for me:
Services -> Intrusion Detection -> Administration -> Download tab -- disabled everything, saved, download & update rules so no rules

Once I did this, performance in the intrusion detection area was great again.

Other changes as I noticed issues with rule sets actually downloading (no date showing after download:
Removed Non-Free/PT Research plugin and ruleset
Removed snort-vrt ruleset plugin and ruleset - I generated a new code and still no luck getting this to work
Download & update rules
Prior to removing these two rule sets, the administration -> rules tab was not showing any rules at all, even though I could see them enabled and downloaded in the download tab.

What I haven't fixed, but not causing a problem
Services -> Intrusion Detection -> Policy -> Policies tab.  I can still select rules that have been removed, i.e. the ET telemetry rules that I removed.  They don't show up in the downloads tab, but they still appear as an option in the policies tab.

2

21.7 Legacy Series / Re: 21.7.1 - GUI performance now slow to populate in Intrusion Detection area

« on: August 10, 2021, 10:14:10 pm »

Did you manage a lot of rules individually previously? config.xml might simply be quite large due to this.


Cheers,
Franco

Thank you and I found something.

I used to have a lot of manual rule adjustments, I deleted all but 16 rule adjustments and setup 7 policies to replace most of the manual rule adjustments when the policies feature was added in whatever version.

What I found:

Even with the intrusion services disabled, once I deleted my 7 policies under Intrusion Detection -> Policy -> Policies; the performance has greatly improved right away.   The gui refresh rate dropped from 22 seconds to 4 seconds.   Maybe how I created the policies were jacked up?

This is good for me now and I'll tweak these and play with the policies and I'm going to re-do all my rule downloads and such.

3

21.7 Legacy Series / Re: 21.7.1 - GUI performance now slow to populate in Intrusion Detection area

« on: August 10, 2021, 05:16:39 pm »

Memory utilization is low, typically less than 15%. 

I'm accessing the device via local LAN IP address, hardwired on the same switch.

Any other suggestions, please throw them my way.

Some tweaks:
Reinstalled suricata (system -> firmware -> packages), no affect.

I disabled Suricata (intrusion detection service) and it's still slow only in the intrusion detection section.   

I turned on the ram disk settings (system -> settings -> miscellaneous), no affect, ram utilization is still less than 20%.

Troubleshooting I'll attempt:
I'll try stripping back intrusion detection settings, I have the Snort-vrt and pt-open plugins installed, I'll remove/disable all the rule sets so nothing is enabled and more default settings.   This will take me a bit, so anyone on the edge of the seat for this, sorry to make you wait.

If this fails, I'll roll back to a backup config about 2 weeks ago where I know I wasn't having any issues.

If this also fails, I'll default the firewall.

And finally, if all else fails, I'll get a new ssd and re-install.  Kind of want to avoid this, but practice makes perfect right?

4

21.7 Legacy Series / 21.7.1 - GUI performance now slow to populate in Intrusion Detection area

« on: August 10, 2021, 04:12:41 am »

I noticed much slower performance in the GUI of the Services -> Intrusion Detection section since I upgraded to 21.7.1.  Possibly 21.7, as I don't check the router every day and I have it check/auto updates daily.

Where I'm having issues:

If I click on Services -> Intrusion Detection -> Administration.  The "Settings" tab would previously load in a second,  this now takes a full 16 seconds to populate the settings.

If I go to Intrusion Detection -> "Policy" section, the "Policies" tab takes around 22 seconds to populate, where previously it would load in 1-2 seconds. 

Some info:
Every other section loads very quickly as expected.
CPU usage is typically 1-3% usage, memory usage under 15% and tested with basically no network traffic going on. 
Smart status on drive says ok.
I have rebooted my router with no luck. 
I have 16 manual rule adjustments in the Policy -> "Rule adjustments" section, so I don't think this should be an issue considering how low resource usage is.

I didn't see any one post anything similar and I'm not sure how to isolate/troubleshoot this, so any tips is appreciated. 

Screen shots:  https://imgur.com/a/6atgixW