It depends on your hardware, but yes it will slow down dramatically, so just enable the rules you really need to increase performance
Is it possible for you to do a iperf test? There are many public iperf servers available. Regards,Bobby Thomas
when the intrusion is not enabled I reach a 1000Mbps/s and when its enables I reach a 20 Mbps/sis this a normal that the ID kills all my speed?
It does cap your bandwidth a lot with the old 3.* Suricata versions.I tried the new 4.0 stable on my APU2C2 with Ubuntu 16.04 (PPA package) and it works much much better on something as the APU.For example:- OPNsense/PFsense Suricata 3.* with netmap : max 9-11 MB/s - where 17 MB/s is my normal max bandwidth- Ubuntu 16.04 LTS with Suricata 4.0 with NFQ: max 14-16 MB/s - where 17 MB/s is my normal max bandwidthTried using a cabled host using gigabit with: 'wget 'ftp://ftp.nluug.nl/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-dvd1.iso' -O /dev/null'My advise: wait for Suricata 4.* being embedded in OPNsense/PFsense.See also; https://suricata-ids.org/category/release/ and especially: 'Under the HoodA major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.'I know my setup is not a good test situation but I've tested a lot with Snort and Suricata inline and performance hits on my box and I really noticed a better performance.See for yourself if it is worth the upgrade (also better detection is always welcome )
There is a call for testing for Suricata 4.0.0, you can try it if you want.But in any case, it will hit 17.7.1 next week.Cheers,Franco
