IPS/IDS Performance Problem

[runo10]

Hello everyone,

I have a e3-1240v2 as cpu on my firewall server. Intel 1gbit NICs.

I get a 30mbit attack with 60k pps. And cpu usage is 60%. I wasnt expecting this much cpu usage with this bandwidth. I try hypersan, it is better but not much change.

I make many rules open on ids/ips. Can It cause problem this much? Or this hardware is not enough for 500mbit ips/ids handling with 1 cpu?

I use opnsense as transparent brdige.

There are 170k rules bytheway

[pfry]

Well, the E3-1240 v2 is a pretty good analog to the Deciso DEC2600/2700 (somewhere in there), which are quoted at 50kpps/85kpps and 500Mb/1Gb respectively. So 60% CPU doesn't sound too bad, especially for a 13 year old mid-range platform. It's the packet rate that kills you - bandwidth is much easier to handle. I wouldn't expect the large number of rules to be an issue (although I'd question what you are attempting to address with 170k of them), but others here would have more experience with that.

How even (across cores) is that CPU utilization?

[runo10]

Well, the E3-1240 v2 is a pretty good analog to the Deciso DEC2600/2700 (somewhere in there), which are quoted at 50kpps/85kpps and 500Mb/1Gb respectively. So 60% CPU doesn't sound too bad, especially for a 13 year old mid-range platform. It's the packet rate that kills you - bandwidth is much easier to handle. I wouldn't expect the large number of rules to be an issue (although I'd question what you are attempting to address with 170k of them), but others here would have more experience with that.

How even (across cores) is that CPU utilization?

Thank you for answer

I couldnt find a settings for suricata core usage.

Actually these are default rulesets thats available on download page. I select most of them.

I try many config and at the end I lower maximum states and maxiumum table entry counts to 1m. Now cpu usage between 13%-20%. And Gemini suggests closing the flow control.

I am virtual machine service provider (vds-vps). There may be big attack, I am not sure. But I want to handle 2-3Gbits attacks. I think this is small attack with 60k pps and 30mbits or we can say that is a good attack too? If I think lineer, it will handle 300k pps and 150 mbits with one cpu. Will it be okay for attacks? Will it be 1m maximum entry and 1m table entry okay for 300k pps?

[BrandyWine]

I couldnt find a settings for suricata core usage.

SSH on in, run 'top'
Suricata is sure to be at top of the list.

Which version of OPNsense are you running?

[runo10]

I couldnt find a settings for suricata core usage.

SSH on in, run 'top'
Suricata is sure to be at top of the list.

Which version of OPNsense are you running?

I look wrong by the way. It is 60k per minute. 1k pps is very low I think. Version is 25.7.6. This cpu usage means suricata using one core?

[BrandyWine]

I prefer the load averages as seen at the top of top.

SHIFT P

Pic that down to the 1st PID

[runo10]

I prefer the load averages as seen at the top of top.

SHIFT P

Pic that down to the 1st PID

[BrandyWine]

What does this fw do?
Load seems high. Why not press SHIFT+P and then take pic? 1.87 is not terrible for that xeon, but you need to look at each core usage, my guess is cpu0 is probably pegged.
And you are very close to swap when you took that pic, maybe watch 'vmstat 1' for a bit?

Does this fw have hyperT disabled?

[runo10]

What does this fw do?
Load seems high. Why not press SHIFT+P and then take pic? 1.87 is not terrible for that xeon, but you need to look at each core usage, my guess is cpu0 is probably pegged.
And you are very close to swap when you took that pic, maybe watch 'vmstat 1' for a bit?

Does this fw have hyperT disabled?

I use this firewall only for instrusion detection. May be I select many rules but pps is very low. HyperThread is enabled.

[pfry]

[...]
Actually these are default rulesets thats available on download page. I select most of them.[...]

Ah, IPS rules. Thanks - I should have figured that out. It's been a while since I (actively) used an IPS - they keep growing...

[runo10]

[...]
Actually these are default rulesets thats available on download page. I select most of them.[...]

Ah, IPS rules. Thanks - I should have figured that out. It's been a while since I (actively) used an IPS - they keep growing...

Do you have suggestion? Also I want to block ips on firewall that droped by suricata

[BrandyWine]

So it's a router, with IPS? FW rules are wide open?
To block your have to change the rules to "block" or "drop". OPNsense site has good docs on it.

CPU's are idle but wcpu is 115% for Suricata?
I would try the disable-HT tunable to see what the diff is in performance.

Search DDG for "tuning freebsd for xeon cache levels"

[pfry]

Do you have suggestion? Also I want to block ips on firewall that droped by suricata

Not I! I have not used Suricata or Zenarmor - the last similar package I used was Snort, maybe 15 years ago.

[runo10]

It was 60k pps, I thought granularity(1 minute) is base time. I have closed ips mode and I use a script to inspect logs and block ips via firewall. Now cpu usage looks better. May handle 300k-500k pps