SMB connection speed very slow after turning on suricata

ToFu · July 02, 2021, 09:28:17 AM

Hello everybody,

last days i configured my data share via smb.
Goal was that my AplleTV can get data from another vlan.
It needed almost a minute to show the index of the smb share, another one for the next subdir and so on ...

The only way to solve was to turn off suricata for this vlans.
No log alerts or anything else.

Do anyone know about this?

Thanks in advance

franco · July 02, 2021, 09:31:33 AM

I assume you mean IPS mode? Suricata has an SMB decoder and such things can be slow...

Cheers,
Franco

ToFu · July 02, 2021, 09:44:51 AM

Yes IPS. :)

franco · July 02, 2021, 09:49:12 AM

I am not sure if SMB decoder can be disabled, but it would likely improve your speed if you don't particularly need it.

We do provide an override file for the suricata.yaml to take care of this.

Cheers,
Franco

ToFu · July 02, 2021, 10:01:35 AM

Where can i find this file?

I have only found /usr/local/etc/suricata/custom.yaml.

But this seems not to be the right file.

franco · July 02, 2021, 10:21:37 AM

Why not?

Cheers,
Franco

ToFu · July 02, 2021, 10:24:27 AM

I thought that was just an extension for the config. Not overriding :)

Thanks for your reply.

franco · July 02, 2021, 12:13:24 PM

Well, it is an extension which can be used to override individual settings... :)

Cheers,
Franco

SMB connection speed very slow after turning on suricata

ToFu

July 02, 2021, 09:28:17 AM

franco

July 02, 2021, 09:31:33 AM #1

ToFu

July 02, 2021, 09:44:51 AM #2

franco

July 02, 2021, 09:49:12 AM #3

ToFu

July 02, 2021, 10:01:35 AM #4

franco

July 02, 2021, 10:21:37 AM #5

ToFu

July 02, 2021, 10:24:27 AM #6

franco

July 02, 2021, 12:13:24 PM #7