Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Call for testing a particular ruleset: abuse.ch/SSL Fingerprint Blacklist
« previous
next »
Print
Pages: [
1
]
Author
Topic: Call for testing a particular ruleset: abuse.ch/SSL Fingerprint Blacklist (Read 4737 times)
Ciprian
Sr. Member
Posts: 284
Karma: 50
Call for testing a particular ruleset: abuse.ch/SSL Fingerprint Blacklist
«
on:
March 21, 2018, 12:53:05 pm »
When I enable to block
abuse.ch/SSL Fingerprint Blacklist
ruleset in IPS mode the SSL/TLS encrypted sites speed drops bellow 100 Mbs (out of 450 Mbps).
Only encrypted traffic is affected (understandable, somehow, if you pay attention to the name of the ruleset). The tests I made repeatedly and leading to the same conclusion for me are:
Test 1
Enable IPS, and enable to block abuse.ch/SSL Fingerprint Blacklist.
Access
http://www.dslreports.com/speedtest/
and perform a test.
Access
https://www.dslreports.com/speedtest/
and perform a test. (Click on ”use https” in the test frame of the page.)
Compare the results.
Test 2
Enable IPS, and enable to block abuse.ch/SSL Fingerprint Blacklist.
Access
https://testmy.net/
and perform a test.
Disable abuse.ch/SSL Fingerprint Blacklist.
Repeat the speed test at
https://testmy.net/
Compare the results.
If it's not only me, then you should have a huge difference between http tests speed and https tests speed,
and respectively
, a huge difference between https tests speed performed with and without the ruleset enabled
if and only if
your connection is > 200 Mbps.
Barely noticeable, since most speed tests default to http (unencrypted) so that the speed test is unaffected by the ruleset, but all the secured/ encrypted https sites/ apps are slow/ sluggish when accessed from any end-device.
Please, write here about your findings.
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: Call for testing a particular ruleset: abuse.ch/SSL Fingerprint Blacklist
«
Reply #1 on:
March 22, 2018, 11:36:54 pm »
Did both tests and saw negligible differences. I suppose the hardware along with how many other rules you have enabled would play a huge factor in the results. I ran the tests on an HP system with i5-3540, i340-T4, and 8GB memory with 10 ET rulesets enabled and 10 custom rules.
The only way to get an accurate comparison is to enable all the same rules that you use with similar hardware.
I don't use that SSL ruleset and use mostly custom rules for IDS/IPS. If you had a lot of rules enabled besides the one in the test there could be a threshold point where your system cannot process that many rules without sacrificing some performance. My rule of thumb is, only use the rules you really need for maximum performance.
Logged
elektroinside
Hero Member
Posts: 574
Karma: 51
Re: Call for testing a particular ruleset: abuse.ch/SSL Fingerprint Blacklist
«
Reply #2 on:
March 23, 2018, 06:21:59 am »
This is mine with the rules enabled (and set to drop):
http://www.dslreports.com/speedtest/31261479
I get way better results with HTTP, and if nothing changed, we have the same ISP and link (speed-wise). But this might be normal (?).
«
Last Edit: March 23, 2018, 06:31:40 am by elektroinside
»
Logged
OPNsense v18
| HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s
Team Rebellion Member
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Call for testing a particular ruleset: abuse.ch/SSL Fingerprint Blacklist