Suricata IPS 10Gbps

[dcol]

I have a mix of 10GBs, 25Gbs, and 40Gbs NICs. I use Intel X710-DA2 for the LAN interface in the OPNsense firewall. Servers have XVV710, X710, and Chelsio T580. All work fine with IDS.

[mimugmail]

Never heard of IPS with more than 4G throughput

[Supermule]

Its not that hard...

We run that everyday and has for 3+ yrs. :)

It just takes serious hardware.

[mimugmail]

Its not that hard...

We run that everyday and has for 3+ yrs. :)

It just takes serious hardware.

Which specs? Screenshot or it didnt happen ;)

[seed]

Same thing here (guenti_r):

For example, for an "High-Performance-Setup" we using OPNSense in an virtualized HA-Stack (Proxmox).
Search for CPU´s with high clock rate.
Some "standard"-Blades with modern Xeon´s or AMD Epyc should be enough for Suricata  ;)

Example above, 2 OPNSense in HA with Suricata (with a lot! of rules), average 20 TB mixed traffic per day, the CPU idles around 2-4%.

Screenshot or it didnt happen. Show some benchmark results with Suricata in IPS mode with 10Gbps throughput instead of talking around it.

[Supermule]

Really annoying that I cant post snips here.... with CTRL+V.

Makes it alot easier.

16CORE XEON 3.00 gHz running "the other sense".

Same thing here (guenti_r):

For example, for an "High-Performance-Setup" we using OPNSense in an virtualized HA-Stack (Proxmox).
Search for CPU´s with high clock rate.
Some "standard"-Blades with modern Xeon´s or AMD Epyc should be enough for Suricata  ;)

Example above, 2 OPNSense in HA with Suricata (with a lot! of rules), average 20 TB mixed traffic per day, the CPU idles around 2-4%.

Screenshot or it didnt happen. Show some benchmark results with Suricata in IPS mode with 10Gbps throughput instead of talking around it.

[mimugmail]

Really annoying that I cant post snips here.... with CTRL+V.

Makes it alot easier.

16CORE XEON 3.00 gHz running "the other sense".

Same thing here (guenti_r):

For example, for an "High-Performance-Setup" we using OPNSense in an virtualized HA-Stack (Proxmox).
Search for CPU´s with high clock rate.
Some "standard"-Blades with modern Xeon´s or AMD Epyc should be enough for Suricata  ;)

Example above, 2 OPNSense in HA with Suricata (with a lot! of rules), average 20 TB mixed traffic per day, the CPU idles around 2-4%.

Screenshot or it didnt happen. Show some benchmark results with Suricata in IPS mode with 10Gbps throughput instead of talking around it.

Hm, in my Tests I had a more powerful machine. Sure its IPS or not IDS?

[guenti_r]

Hm, in my Tests I had a more powerful machine. Sure its IPS or not IDS?

Baremetal or virtualized?
Edit: IPS

[guenti_r]

Screenshot or it didnt happen. Show some benchmark results with Suricata in IPS mode with 10Gbps throughput instead of talking around it.

Not a very nice language  :(
Maybe this helps:
https://suricata.readthedocs.io/en/latest/performance/high-performance-config.html

[seed]

Instead of simply showing benchmarks to prove that your setup can handle 10Gbps of throughput with Suricata, you're avoiding the questions. I wasn't sure at first, but now I am, that you are just a troll. Prove your statements or don't participate in this discussion.

[seed]

As it seems, no one on the forum can verifiably report running a setup with 10Gbps IPS throughput.

10gbps IPS is probably still left to FPGA systems.
Hopefully there will be OPNsense hardware with IPS accelerators available for purchase in the future. That would be cool. Would solve some scaling problems. Until then, I guess it will remain the boring IDS operation in the datacenter area.

[mimugmail]

The usual problem with a generic x86 OS and open source :)

[seed]

With all the CVEs of the commercial providers, I prefer to stay with open source. The last years in which I have used OPNsense I have found mostly positive and therefore see no reason to use another firewall.

I had thought of accelerator cards from napatech. I have not tested them yet. Napatech advertises them with lossless wirespeed e.g. NT100A01 SmartNIC.

However, there is not a single test report on the cards. The Internet is generally quite empty on such Smartnics that can accelerate suricata. As a private person, you can't get the cards at all. So not a suitable toy for consumers who run a homelab or have part of their own hardware in a colo.

[dcol]

I will supply screenshots of 10Gbs NICs throughput with IPS if you tell me what to use to generate the info you want.

[seed]

Please test with iperf3 so that we get an approximate impression of the performance.

TCP and UDP.
The traffic must be routed through the OPNsense.

Please tell us which interface you are routing through (physical/VLAN), if you are using NAT and on which interface Suricata is running. Also the number of loaded rules.

Also what hardware: CPU, RAM (size and speed), motherboard, Nics.... would help us.

Beside the Iperf screenshots please take a screenshot during the test of top: "top -aSHIP" so we can see the CPU load during the test. Please also screeshots of your Suricata settings.

I am very curious to see the results.