Intrusion Detection

[h.hammoud]

Dears,

Recently I've installed OPNsense on my network but what I'm facing that when I enable the IPS the Internet speed become slow also the pages are opened very slow, also how can I change the action enable or disable a whole category rules on the IPS.

Thanks in advance for any help. 

[weust]

IPS can be a big pressure on your hardware. What kind of hardware are you using?
And what internet speed do you have, and what do you get without IPS enabled?

The category question I can't answer.

[h.hammoud]

Hi Weust,

My hardware is a DELL server R720 16GB RAM two CPU Qudro 100 GB SAS HDD the speed returns normal when you disable the IPS.

About the category what I'm asking about is that if I want to disable emerging-deleted.rules I must disable a rule by rule or make a filter base on this category and disable the rule set by select all but this takes a long time depending on the number of the rules.

Thanks

[weust]

I would expect the hardware to be fine. You did enable Hyperscan?

Disabling rule by rule is kinda annoying, indeed.

[h.hammoud]

Yes I've enabled the Hyperscan.

[interkrome]

Happened to me also but after change to Aho-Corasick, everything back to normal.

[Wayne Train]

Hi,
so Aho is considered more efficient / better than hyperscan ?
Would be nice if someone could explain why ?
Best regards,
Wayne

[Stephan]

Hi,

I'd also like to know which algorithm to prefer / to know which one is more efficient - probably it's an implementation problem, as hyperscan is quite new (~1y) in opnsense?

[franco]

Sorry, I missed this.

AC is the Suricata default matcher. Hyperscan is a more recent library by Intel to speed up matching on most of its 64 bit architecture CPUs. Hyperscan is faster, yielding less CPU time and / or more throughput for IDS, but could be heavier on memory usage.


Cheers,
Franco