IDS/IPS drop of internet speed

[franco]

Snort in the Scope of FreeBSD only blocks by reading the offending IPs from the log and adding them to the firewall block table. This is a delayed, asynchronous process.

For Snort in general, e.g. Linux proper inline modes exist.


Cheers,
Franco

[opnsense-user123]

Wow... I just experienced this also. I was running pfSense on a virtual machine in Proxmox allocated 2 vcpus on an older E3-1230 (v1 or v2, not sure) with not much other CPU use from other VMs. I bought this same pc engines box which was sold with pfSense on it, but I switched it over to OPNsense (17.7.x) and have been setting up my network.

My over 200 Mbps cable modem download speed has slowed to about 10 Mbps with suricata running some (I have no idea how many) rules, but I was somewhat selective in which I chose, not just all of them I could find. I also run country blocker.

I'm surprised how much slower it is than my old setup and hope to find some more help to optimise it.

(edit, here are the categories running)

abuse.ch/SSL Fingerprint Blacklist
ET open/emerging-exploit
ET open/emerging-malware
Snort VRT/attack-responses
Snort VRT/backdoor
Snort VRT/bad-traffic
Snort VRT/blacklist
Snort VRT/botnet-cnc
Snort VRT/browser-chrome
Snort VRT/browser-firefox
Snort VRT/ddos
Snort VRT/dos
Snort VRT/exploit
Snort VRT/exploit-kit
Snort VRT/malware-backdoor
Snort VRT/scan
Snort VRT/server-apache