Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Samba (smb) with slow speeds because of Suricata
« previous
next »
Print
Pages: [
1
]
Author
Topic: Samba (smb) with slow speeds because of Suricata (Read 2926 times)
Tugdualenligne
Newbie
Posts: 13
Karma: 0
Samba (smb) with slow speeds because of Suricata
«
on:
May 10, 2020, 01:12:41 pm »
Everything is in the subject of this message.
Can someone please explain how to protect Samba (port 445 TCP) with Suricata, while not slowing too much the network speeds? What rules do you activate / deactivate? My network is 100% Linux and MacOsx with Gb interfaces and switches, which deliver great speeds when Suricata is off.
Suricata IDS/IPS are active on LAN, WLAN and DMZ interfaces, working great but slowing in particular SMB flows. Rest of traffic do not appear to slow down, or, at least, this is not noticeable.
Many thanks in advance
Logged
dave
Jr. Member
Posts: 74
Karma: 5
Re: Samba (smb) with slow speeds because of Suricata
«
Reply #1 on:
May 10, 2020, 05:15:22 pm »
Someone with a deeper understanding of this may be able to provide a better answer, but in short I suspect it's because SMB traffic isn't encrypted by default, meaning Suricata can run DPI on it, hence the slowdown.
You're not seeing a similar slowdown in throughput elsewhere because Suricata's not touching most of you network traffic, which is likely encrypted (especially web traffic).
For packages such as Snort and Suricata to work properly you need to implement SSL inspection, which is essentially a man-in-the-middle attack.
For example, one of your endpoints (Mac, Linux, whatever) tries to contact an HTTPS site:
- NAT intercepts this request and routes it in to Squid.
- Using a cert authority you configure within opnsense Squid creates two encrypted sessions: one between itself and the endpoint; the other between itself and the site.
- Squid is now sat-in-the-middle, with unencrypted traffic flowing through it, providing a window during which Suricata can inspect traffic.
This is CPU intense stuff, so I believe you can expect a reduction in throughput.
If you have SSL inspection set up, you're probably not seeing the same degree of slowdown because Suricata's not having to churn through similar sized files in other network traffic.
Just a guess.
«
Last Edit: May 10, 2020, 05:29:00 pm by dave
»
Logged
Tugdualenligne
Newbie
Posts: 13
Karma: 0
Re: Samba (smb) with slow speeds because of Suricata
«
Reply #2 on:
May 10, 2020, 11:38:51 pm »
Thanks for your response.
That might not be my ideal solution (i.e. encrypting smb traffic internally), but I’ll look into it
Any other idea gents?
Logged
JasMan
Full Member
Posts: 175
Karma: 9
Re: Samba (smb) with slow speeds because of Suricata
«
Reply #3 on:
June 07, 2020, 02:14:00 pm »
Hey,
Same issue here.
I've opened a new thread:
https://forum.opnsense.org/index.php?topic=17572.0
Not exactly what you are searching for, but maybe it's helpful for you too.
Jas
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Samba (smb) with slow speeds because of Suricata