21.7.1 - GUI performance now slow to populate in Intrusion Detection area

Started by leo1d, August 10, 2021, 04:12:41 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 10, 2021, 04:12:41 AM
I noticed much slower performance in the GUI of the Services -> Intrusion Detection section since I upgraded to 21.7.1.  Possibly 21.7, as I don't check the router every day and I have it check/auto updates daily.

Where I'm having issues:

If I click on Services -> Intrusion Detection -> Administration.  The "Settings" tab would previously load in a second,  this now takes a full 16 seconds to populate the settings.

If I go to Intrusion Detection -> "Policy" section, the "Policies" tab takes around 22 seconds to populate, where previously it would load in 1-2 seconds. 

Some info:
Every other section loads very quickly as expected.
CPU usage is typically 1-3% usage, memory usage under 15% and tested with basically no network traffic going on. 
Smart status on drive says ok.
I have rebooted my router with no luck. 
I have 16 manual rule adjustments in the Policy -> "Rule adjustments" section, so I don't think this should be an issue considering how low resource usage is.

I didn't see any one post anything similar and I'm not sure how to isolate/troubleshoot this, so any tips is appreciated. 

Screen shots:  https://imgur.com/a/6atgixW
August 10, 2021, 05:58:49 AM #1
What is your memory utilization like?  I'm thinking the amount of rules you have loaded could be causing the problem where the memory may be over utilized.
August 10, 2021, 08:03:58 AM #2
Are you accessing the OPNsense via hostname? 15 seconds delay sounds like resolver failure, maybe because of defunct IPv6...


Cheers,
Franco
August 10, 2021, 05:16:39 PM #3
Memory utilization is low, typically less than 15%. 

I'm accessing the device via local LAN IP address, hardwired on the same switch.

Any other suggestions, please throw them my way.

Some tweaks:
Reinstalled suricata (system -> firmware -> packages), no affect.

I disabled Suricata (intrusion detection service) and it's still slow only in the intrusion detection section.   

I turned on the ram disk settings (system -> settings -> miscellaneous), no affect, ram utilization is still less than 20%.

Troubleshooting I'll attempt:
I'll try stripping back intrusion detection settings, I have the Snort-vrt and pt-open plugins installed, I'll remove/disable all the rule sets so nothing is enabled and more default settings.   This will take me a bit, so anyone on the edge of the seat for this, sorry to make you wait.

If this fails, I'll roll back to a backup config about 2 weeks ago where I know I wasn't having any issues.

If this also fails, I'll default the firewall.

And finally, if all else fails, I'll get a new ssd and re-install.  Kind of want to avoid this, but practice makes perfect right?
August 10, 2021, 07:34:36 PM #4
Did you manage a lot of rules individually previously? config.xml might simply be quite large due to this.


Cheers,
Franco
August 10, 2021, 10:14:10 PM #5
Quote from: franco on August 10, 2021, 07:34:36 PM
Did you manage a lot of rules individually previously? config.xml might simply be quite large due to this.


Cheers,
Franco

Thank you and I found something.

I used to have a lot of manual rule adjustments, I deleted all but 16 rule adjustments and setup 7 policies to replace most of the manual rule adjustments when the policies feature was added in whatever version.

What I found:

Even with the intrusion services disabled, once I deleted my 7 policies under Intrusion Detection -> Policy -> Policies; the performance has greatly improved right away.   The gui refresh rate dropped from 22 seconds to 4 seconds.   Maybe how I created the policies were jacked up?

This is good for me now and I'll tweak these and play with the policies and I'm going to re-do all my rule downloads and such.
August 11, 2021, 07:51:42 AM #6
Good news. I'm not entirely sure why the policies slow this down, but if you can pin this to a particular policy please let us know.


Cheers,
Franco
August 11, 2021, 07:54:34 PM #7
Great leo1d.  After you posted this, I decided to check on mine.  Have the same issue.  I'm going to use your method and see  what happens.  I don't modify that many rules, so I'm see the areas you pointed out.
August 12, 2021, 10:19:34 PM #8
Quote from: errored out on August 11, 2021, 07:54:34 PM
Great leo1d.  After you posted this, I decided to check on mine.  Have the same issue.  I'm going to use your method and see  what happens.  I don't modify that many rules, so I'm see the areas you pointed out.

Ok, I was able to get my performance back 100%.

I think the issue was with the Non-Free/PT Research and Snort-VRT rule sets.   I'm only using the abuse.ch and ET telemetry rules.  I can create policies, no issues.

What worked for me:
Services -> Intrusion Detection -> Administration -> Download tab -- disabled everything, saved, download & update rules so no rules

Once I did this, performance in the intrusion detection area was great again.

Other changes as I noticed issues with rule sets actually downloading (no date showing after download:
Removed Non-Free/PT Research plugin and ruleset
Removed snort-vrt ruleset plugin and ruleset - I generated a new code and still no luck getting this to work
Download & update rules
Prior to removing these two rule sets, the administration -> rules tab was not showing any rules at all, even though I could see them enabled and downloaded in the download tab.

What I haven't fixed, but not causing a problem
Services -> Intrusion Detection -> Policy -> Policies tab.  I can still select rules that have been removed, i.e. the ET telemetry rules that I removed.  They don't show up in the downloads tab, but they still appear as an option in the policies tab.
Print
Go Up Pages1
User actions