[SOLVED] [Suricata] Suricata dropping traffic with IPS.

[Julien]

Hello Julien,

Is the difficulty being shown at any speed? Or is only felt when you reach 200mbps?

Thanks!

In my environment I tested it via iperf to a System in another Subnet or over WAN:
Virtio and IPS disabled: ~900Mbit/s
E1000 and IPS disabled: ~200-250Mbit/s
VMXNET3 and IPS disabled: ~500Mbit/s
VMXNET3 and IPS enabled: ~300-400Mbit/s

Grretings,
Fabio

Thank you Fabio,
the connections works only its dropped significly down.
i tried everything but nothing helped.

[Fabio83]

Thank you Fabio,
the connections works only its dropped significly down.
i tried everything but nothing helped.

Hello Julien.

What for an Virtualization Host and qemu-Version you are using?

[Julien]

Thank you Fabio,
the connections works only its dropped significly down.
i tried everything but nothing helped.

Hello Julien.

What for an Virtualization Host and qemu-Version you are using?

Hi Fabio,
I am on a hardware with
i5 CPU / 8GB Memory / 64 SSD GB HDD/ Intel 82574L Gigabit Ethernet

[Fabio83]

Hi Fabio,
I am on a hardware with
i5 CPU / 8GB Memory / 64 SSD GB HDD/ Intel 82574L Gigabit Ethernet

So, if you are running your OPNsense on Hardware directly -> check out your current Pattern matcher (under Services/IntrusionDetection). For better Performance you could try "Hyperscan" instead of "Aho-Corasick".

Fabio

[dragon2611]

Last time I tried to enable IPS on a VM running in Proxmox (KVM) it would just stop passing traffic and usually need a reboot to get going again, this was with the virtIO drivers.

it was an N3150 so gutless but it wasn't a CPU usage problem it was the VirtIO drivers really don't seem to play nice with IDS.

It's the reason I don't have the IDS turned on in any of my opnsense boxes because with most of them being virtual I can't risk it.

[Julien]

Hi Fabio,
I am on a hardware with
i5 CPU / 8GB Memory / 64 SSD GB HDD/ Intel 82574L Gigabit Ethernet

So, if you are running your OPNsense on Hardware directly -> check out your current Pattern matcher (under Services/IntrusionDetection). For better Performance you could try "Hyperscan" instead of "Aho-Corasick".

Fabio

I have tried both Hyperscan and aho now is running on Default.
both are providing a poor performance.

with hyperscan I reach 400 Mbps and with Aho-Corasich and Default I reach 340 Mbps

[Julien]

Does anybody has a idea about why the speed is 50% down when Suricata on is ?

[franco]

It depends on your setup. If you use local services like proxies on your OPNsense and all of this traffic hits the proxy, the proxy penalty usage is 50% because you not only end up reading incoming packets, but also rewiriting or recreating packets which caused buffers to be copied for sending, and that hurts your overall performance.

Especially with a HTTP speed test and web proxy enabled you're testing your maximum speed as configured, but maybe not as expected. ;)


Cheers,
Franco

[Julien]

It depends on your setup. If you use local services like proxies on your OPNsense and all of this traffic hits the proxy, the proxy penalty usage is 50% because you not only end up reading incoming packets, but also rewiriting or recreating packets which caused buffers to be copied for sending, and that hurts your overall performance.

Especially with a HTTP speed test and web proxy enabled you're testing your maximum speed as configured, but maybe not as expected. ;)


Cheers,
Franco

Well Explained Franco, I thought too it has something to do with the proxy but we have no proxy configured in this configuration.
the test is going over http  http://beta.speedtest.net/ and it shows 320Mbps/s

is was actually wondering if the speedtest result are our actuall speed or not.

when we test using https   https://fast.com/en/gb/ its shows 520 Mbps/s