Intrusion Detection issue

Julien · August 08, 2017, 01:53:32 AM

Hi Guys,
is this a normal behaviour see fotos the one with enabled intrusion and one without
when the intrusion is not enabled I reach a 1000Mbps/s and when its enables I reach a 20 Mbps/s

is this a normal that the ID kills all my speed?

mimugmail · August 08, 2017, 05:48:39 AM

It depends on your hardware, but yes it will slow down dramatically, so just enable the rules you really need to increase performance

franco · August 08, 2017, 07:35:02 AM

"kills all my speed" -- no, it shouldn't. this is too low.

Julien · August 08, 2017, 06:03:48 PM

Quote from: mimugmail on August 08, 2017, 05:48:39 AM
It depends on your hardware, but yes it will slow down dramatically, so just enable the rules you really need to increase performance

Any suggestions why ?
the HDD is I5/8GB Memory/120SSD Samsung Pro.
I don't believe this should be a issue at all.
when the Intrusion detection is on it uses like 30% of the memory and 7% of CPU and when I turn it off its used 3% CPU and 10% memory.

What do you mean with enable only the rules?

bobbythomas · August 09, 2017, 09:47:08 AM

Is it possible for you to do a iperf test? There are many public iperf servers available.

Regards,
Bobby Thomas

Julien · August 09, 2017, 02:52:20 PM

Quote from: bobbythomas on August 09, 2017, 09:47:08 AM
Is it possible for you to do a iperf test? There are many public iperf servers available.

Regards,
Bobby Thomas

I can't seem to find iperf
do I have to install this?
what are the commands to do so ?

phoenix · August 09, 2017, 03:18:35 PM

If you want to do it from the firewall then you need to install it: pkg search iperf - you could always install it on a server (or PC) on your LAN.

Ciprian · August 10, 2017, 03:19:56 PM

Quote from: Julien on August 08, 2017, 01:53:32 AM

when the intrusion is not enabled I reach a 1000Mbps/s and when its enables I reach a 20 Mbps/s

is this a normal that the ID kills all my speed?

Is enabling/ disabling ID(P)S the only thing that you do in order to have these differences? It is way-way-way too much of a difference in throughput... :(

xmichielx · August 11, 2017, 11:11:11 AM

It does cap your bandwidth a lot with the old 3.* Suricata versions.
I tried the new 4.0 stable on my APU2C2 with Ubuntu 16.04 (PPA package) and it works much much better on something as the APU.
For example:

- OPNsense/PFsense Suricata 3.* with netmap : max 9-11 MB/s - where 17 MB/s is my normal max bandwidth
- Ubuntu 16.04 LTS with Suricata 4.0 with NFQ: max 14-16 MB/s - where 17 MB/s is my normal max bandwidth

Tried using a cabled host using gigabit with: 'wget 'ftp://ftp.nluug.nl/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-dvd1.iso'; -O /dev/null'

My advise: wait for Suricata 4.* being embedded in OPNsense/PFsense.

See also; https://suricata-ids.org/category/release/ and especially:

'Under the Hood
A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.'

I know my setup is not a good test situation but I've tested a lot with Snort and Suricata inline and performance hits on my box and I really noticed a better performance.
See for yourself if it is worth the upgrade (also better detection is always welcome ;) )

Julien · August 25, 2017, 03:53:00 PM

Quote from: xmichielx on August 11, 2017, 11:11:11 AM
It does cap your bandwidth a lot with the old 3.* Suricata versions.
I tried the new 4.0 stable on my APU2C2 with Ubuntu 16.04 (PPA package) and it works much much better on something as the APU.
For example:

- OPNsense/PFsense Suricata 3.* with netmap : max 9-11 MB/s - where 17 MB/s is my normal max bandwidth
- Ubuntu 16.04 LTS with Suricata 4.0 with NFQ: max 14-16 MB/s - where 17 MB/s is my normal max bandwidth

Tried using a cabled host using gigabit with: 'wget 'ftp://ftp.nluug.nl/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-dvd1.iso'; -O /dev/null'

My advise: wait for Suricata 4.* being embedded in OPNsense/PFsense.

See also; https://suricata-ids.org/category/release/ and especially:

'Under the Hood
A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.'

I know my setup is not a good test situation but I've tested a lot with Snort and Suricata inline and performance hits on my box and I really noticed a better performance.
See for yourself if it is worth the upgrade (also better detection is always welcome ;) )

thank you for your feed back.
i'll wait for the release of the V4,
does anybody knows the release date ?

franco · August 25, 2017, 03:59:23 PM

There is a call for testing for Suricata 4.0.0, you can try it if you want.

But in any case, it will hit 17.7.1 next week.

Cheers,
Franco

Julien · August 25, 2017, 04:01:28 PM

Quote from: franco on August 25, 2017, 03:59:23 PM
There is a call for testing for Suricata 4.0.0, you can try it if you want.

But in any case, it will hit 17.7.1 next week.

Cheers,
Franco

Thank you Franco,
i have found the link https://forum.opnsense.org/index.php?topic=5595.0;topicseen
i'll start the test on the LAB and report back in case of some errors.

franco · August 25, 2017, 04:03:21 PM

Thanks Julien, feedback still very welcome! :)

Intrusion Detection issue

Julien

August 08, 2017, 01:53:32 AM Last Edit: August 08, 2017, 01:59:26 AM by Julien

mimugmail

August 08, 2017, 05:48:39 AM #1

franco

August 08, 2017, 07:35:02 AM #2

Julien

August 08, 2017, 06:03:48 PM #3

bobbythomas

August 09, 2017, 09:47:08 AM #4

Julien

August 09, 2017, 02:52:20 PM #5

phoenix

August 09, 2017, 03:18:35 PM #6

Ciprian

August 10, 2017, 03:19:56 PM #7

xmichielx

August 11, 2017, 11:11:11 AM #8

Julien

August 25, 2017, 03:53:00 PM #9

franco

August 25, 2017, 03:59:23 PM #10

Julien

August 25, 2017, 04:01:28 PM #11

franco

August 25, 2017, 04:03:21 PM #12