OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • Intrusion Detection issue
« previous next »
  • Print
Pages: [1]

Author Topic: Intrusion Detection issue  (Read 3828 times)

Julien

  • Hero Member
  • *****
  • Posts: 600
  • Karma: 32
    • View Profile
Intrusion Detection issue
« on: August 08, 2017, 01:53:32 am »
Hi Guys,
is this a normal behaviour see fotos the one with enabled intrusion and one without
when the intrusion is not enabled I reach a 1000Mbps/s and when its enables I reach a 20 Mbps/s

is this a normal that the ID kills all my speed?
« Last Edit: August 08, 2017, 01:59:26 am by Julien »
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 5309
  • Karma: 371
    • View Profile
Re: Intrusion Detection issue
« Reply #1 on: August 08, 2017, 05:48:39 am »
It depends on your hardware, but yes it will slow down dramatically, so just enable the rules you really need to increase performance
Logged
IRC: mimugmail
Twitter: mimu_muc
WWW: www.routerperformance.net

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 10539
  • Karma: 833
    • View Profile
Re: Intrusion Detection issue
« Reply #2 on: August 08, 2017, 07:35:02 am »
"kills all my speed" -- no, it shouldn't. this is too low.
Logged

Julien

  • Hero Member
  • *****
  • Posts: 600
  • Karma: 32
    • View Profile
Re: Intrusion Detection issue
« Reply #3 on: August 08, 2017, 06:03:48 pm »
Quote from: mimugmail on August 08, 2017, 05:48:39 am
It depends on your hardware, but yes it will slow down dramatically, so just enable the rules you really need to increase performance
Any suggestions why ?
the HDD is I5/8GB Memory/120SSD Samsung Pro.
I don't believe this should be a issue at all.
when the Intrusion detection is on it uses like 30% of the memory and 7% of CPU and when I turn it off its used 3% CPU and 10% memory.

What do you mean with enable only the rules?
Logged

bobbythomas

  • Full Member
  • ***
  • Posts: 131
  • Karma: 5
    • View Profile
Re: Intrusion Detection issue
« Reply #4 on: August 09, 2017, 09:47:08 am »
Is it possible for you to do a iperf test? There are many public iperf servers available.

Regards,
Bobby Thomas
Logged

Julien

  • Hero Member
  • *****
  • Posts: 600
  • Karma: 32
    • View Profile
Re: Intrusion Detection issue
« Reply #5 on: August 09, 2017, 02:52:20 pm »
Quote from: bobbythomas on August 09, 2017, 09:47:08 am
Is it possible for you to do a iperf test? There are many public iperf servers available.

Regards,
Bobby Thomas
I can't seem to find iperf
do I have to install this?
what are the commands to do so ?
Logged

phoenix

  • Sr. Member
  • ****
  • Posts: 461
  • Karma: 53
    • View Profile
Re: Intrusion Detection issue
« Reply #6 on: August 09, 2017, 03:18:35 pm »
If you want to do it from the firewall then you need to install it: pkg search iperf - you could always install it on a server (or PC) on your LAN.
Logged
Regards


Bill

hutiucip

  • Sr. Member
  • ****
  • Posts: 283
  • Karma: 47
    • View Profile
Re: Intrusion Detection issue
« Reply #7 on: August 10, 2017, 03:19:56 pm »
Quote from: Julien on August 08, 2017, 01:53:32 am

when the intrusion is not enabled I reach a 1000Mbps/s and when its enables I reach a 20 Mbps/s

is this a normal that the ID kills all my speed?

Is enabling/ disabling ID(P)S the only thing that you do in order to have these differences? It is way-way-way too much of a difference in throughput... :(
Logged

xmichielx

  • Newbie
  • *
  • Posts: 44
  • Karma: 0
    • View Profile
Re: Intrusion Detection issue
« Reply #8 on: August 11, 2017, 11:11:11 am »
It does cap your bandwidth a lot with the old 3.* Suricata versions.
I tried the new 4.0 stable on my APU2C2 with Ubuntu 16.04 (PPA package) and it works much much better on something as the APU.
For example:

- OPNsense/PFsense Suricata 3.* with netmap : max 9-11 MB/s - where 17 MB/s is my normal max bandwidth
- Ubuntu 16.04 LTS with Suricata 4.0 with NFQ: max 14-16 MB/s - where 17 MB/s is my normal max bandwidth

Tried using a cabled host using gigabit with: 'wget 'ftp://ftp.nluug.nl/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-dvd1.iso' -O /dev/null'

My advise: wait for Suricata 4.* being embedded in OPNsense/PFsense.

See also; https://suricata-ids.org/category/release/ and especially:

'Under the Hood
A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.'

I know my setup is not a good test situation but I've tested a lot with Snort and Suricata inline and performance hits on my box and I really noticed a better performance.
See for yourself if it is worth the upgrade (also better detection is always welcome ;) )
Logged

Julien

  • Hero Member
  • *****
  • Posts: 600
  • Karma: 32
    • View Profile
Re: Intrusion Detection issue
« Reply #9 on: August 25, 2017, 03:53:00 pm »
Quote from: xmichielx on August 11, 2017, 11:11:11 am
It does cap your bandwidth a lot with the old 3.* Suricata versions.
I tried the new 4.0 stable on my APU2C2 with Ubuntu 16.04 (PPA package) and it works much much better on something as the APU.
For example:

- OPNsense/PFsense Suricata 3.* with netmap : max 9-11 MB/s - where 17 MB/s is my normal max bandwidth
- Ubuntu 16.04 LTS with Suricata 4.0 with NFQ: max 14-16 MB/s - where 17 MB/s is my normal max bandwidth

Tried using a cabled host using gigabit with: 'wget 'ftp://ftp.nluug.nl/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-dvd1.iso' -O /dev/null'

My advise: wait for Suricata 4.* being embedded in OPNsense/PFsense.

See also; https://suricata-ids.org/category/release/ and especially:

'Under the Hood
A major TCP stream engine update is included. This should lead to better performance and less configuration, especially in IPS mode.'

I know my setup is not a good test situation but I've tested a lot with Snort and Suricata inline and performance hits on my box and I really noticed a better performance.
See for yourself if it is worth the upgrade (also better detection is always welcome ;) )

thank you for your feed back.
i'll wait for the release of the V4,
does anybody knows the release date ?
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 10539
  • Karma: 833
    • View Profile
Re: Intrusion Detection issue
« Reply #10 on: August 25, 2017, 03:59:23 pm »
There is a call for testing for Suricata 4.0.0, you can try it if you want.

But in any case, it will hit 17.7.1 next week.


Cheers,
Franco
Logged

Julien

  • Hero Member
  • *****
  • Posts: 600
  • Karma: 32
    • View Profile
Re: Intrusion Detection issue
« Reply #11 on: August 25, 2017, 04:01:28 pm »
Quote from: franco on August 25, 2017, 03:59:23 pm
There is a call for testing for Suricata 4.0.0, you can try it if you want.

But in any case, it will hit 17.7.1 next week.


Cheers,
Franco
Thank you Franco,
i have found the link https://forum.opnsense.org/index.php?topic=5595.0;topicseen
i'll start the test on the LAB and report back in case of some errors.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 10539
  • Karma: 833
    • View Profile
Re: Intrusion Detection issue
« Reply #12 on: August 25, 2017, 04:03:21 pm »
Thanks Julien, feedback still very welcome! :)
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • Intrusion Detection issue
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2021 All rights reserved
  • SMF 2.0.18 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2