OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • Performance tuning for IPS maximum performance
« previous next »
  • Print
Pages: 1 2 [3] 4 5 ... 7

Author Topic: Performance tuning for IPS maximum performance  (Read 178244 times)

Julien

  • Hero Member
  • *****
  • Posts: 666
  • Karma: 33
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #30 on: April 25, 2018, 01:09:29 pm »
Quote from: mimugmail on April 25, 2018, 05:53:32 am
IDS or IPS?
Do you use Hyperscan?
yes i am using hyperscan and using Intrusion Detection with IPS mode on see screenshot.
Logged
OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023

Evil_Sense

  • Full Member
  • ***
  • Posts: 112
  • Karma: 15
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #31 on: April 25, 2018, 03:35:17 pm »
I finally found time for some tests..

I first tested with the tunables and a system running for couple weeks.

I then removed the tunables, rebooted, waited for 5 minutes and tested again.

Lastly I added the tunables again, rebooted, waited for 5 minutes and tested again.

As you see, the results are within tolerance, could be because my provider connection doesn't saturate the nic capacity of my apu2c4.
« Last Edit: April 25, 2018, 03:40:48 pm by Evil_Sense »
Logged

Evil_Sense

  • Full Member
  • ***
  • Posts: 112
  • Karma: 15
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #32 on: April 25, 2018, 03:36:26 pm »
I also attached utilization screenshots, with the tunables it's higher, but since I don't mind using the hardware a bit more I'm ok with that.

(Second post, because only 4 pictures per posts allowed)
« Last Edit: April 25, 2018, 04:05:10 pm by Evil_Sense »
Logged

Julien

  • Hero Member
  • *****
  • Posts: 666
  • Karma: 33
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #33 on: April 26, 2018, 03:04:24 pm »
Thank you Evil Sens for your answer.
as i understand you didnt really noticed the speed but les on the hardware use.
as i understand i dont mind using the hardware that why we have it there :)
Logged
OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023

neoso

  • Newbie
  • *
  • Posts: 5
  • Karma: 0
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #34 on: May 30, 2018, 09:22:41 am »
Quote from: dcol on April 10, 2018, 01:02:26 am
Some of the tunables and settings do come with a resource price. Try reducing the interrupt rate. The queue size is a NIC dependent setting and depends of the buffer size in the NIC itself.

Hi,

Is possible put youtr config, in APU2C4?

I read de tuto, bit when insert the config in the loader.conf, when reboot i lost all config.

I hace a FFTH 600MB/600MB .
IPS/IDS activo :  100/100MB
IDS/IPS not active:   300MB/600MB

Is posible that the APU2C4 is poor hardware?

I have ordered a QOTOM on ALLIEXPRESS core i7 8Gb RAM

Do you think that installing PFSENSE will improve this in the APU2C4?
Logged

xmichielx

  • Newbie
  • *
  • Posts: 44
  • Karma: 0
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #35 on: August 02, 2018, 10:54:36 am »
The config should be in loader.conf.local and some in the tunables.
I tried it for the APU 2C4 but still max ~10/11 MB/s with Suricata inline, Snort with some PF magic (PFSense) gives the full bandwidth.
It's not a true inline IPS but works pretty good for home usage.
Perhaps one day when home hardware (like the APU2c4 which is quad core with 4 GB memory) works nicely with Suricata I will switch, untill then I use Snort since losing 60% of your bandwidth is just not worth it.
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6558
  • Karma: 458
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #36 on: August 02, 2018, 10:57:02 am »
Quote from: xmichielx on August 02, 2018, 10:54:36 am
The config should be in loader.conf.local and some in the tunables.
I tried it for the APU 2C4 but still max ~10/11 MB/s with Suricata inline, Snort with some PF magic (PFSense) gives the full bandwidth.
It's not a true inline IPS but works pretty good for home usage.
Perhaps one day when home hardware (like the APU2c4 which is quad core with 4 GB memory) works nicely with Suricata I will switch, untill then I use Snort since losing 60% of your bandwidth is just not worth it.

How many rules do you run on Snort vs Suricata? Can you try changing the Scan engine?
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

dcol

  • Hero Member
  • *****
  • Posts: 633
  • Karma: 50
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #37 on: August 02, 2018, 04:07:45 pm »
Two point.
OPNsense does not have Snort. OPNsense was built optimizing Suricata.
Some Snort rules are not compatible with Suricata.
Logged

xmichielx

  • Newbie
  • *
  • Posts: 44
  • Karma: 0
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #38 on: August 09, 2018, 10:17:17 am »
Quote from: mimugmail on August 02, 2018, 10:57:02 am
Quote from: xmichielx on August 02, 2018, 10:54:36 am
The config should be in loader.conf.local and some in the tunables.
I tried it for the APU 2C4 but still max ~10/11 MB/s with Suricata inline, Snort with some PF magic (PFSense) gives the full bandwidth.
It's not a true inline IPS but works pretty good for home usage.
Perhaps one day when home hardware (like the APU2c4 which is quad core with 4 GB memory) works nicely with Suricata I will switch, untill then I use Snort since losing 60% of your bandwidth is just not worth it.

How many rules do you run on Snort vs Suricata? Can you try changing the Scan engine?

the same ammount; I use the ET Open rules and both work for both Snort and Suricata.
Tried enabling 1 rule to using 15 rules - no difference.
Also tried changing the Scan engine, Hyperscan has the best performance (Intel nic's are used on the APU 2) but no profit there.
Logged

xmichielx

  • Newbie
  • *
  • Posts: 44
  • Karma: 0
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #39 on: August 09, 2018, 10:19:59 am »
Quote from: dcol on August 02, 2018, 04:07:45 pm
Two point.
OPNsense does not have Snort. OPNsense was built optimizing Suricata.
Some Snort rules are not compatible with Suricata.

I never said that OPNsense have snort that is why I use/used PFsense.
I know that some Snort rules are incompatible with Suricata, I use the supplied ET Open rules and they work for both IDS/IPS.
Still not related to the performance hit on the APU 2, actually I can not find 1 single post where someone says he has 75%-100% of his/hers bandwidth after using Suricata inline (this has nothing to do with OPNsense but is related to Suricata and its scanning engine which caps bandwidth inline when used on 'smaller' hardware for home use).
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6558
  • Karma: 458
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #40 on: August 09, 2018, 10:55:05 am »
I think this is somewhat clocking related which impacts higher on slow hardware.
No idea how Snort on PF works, perhaps it adds an pf rules after match which doesn't require real inline so it might be more performant on smaller hardware, but just a guess.


I'm not against building a snort plugin .. but I'm not sure if it's worth the work since IPS on home use is debatable (my personal opinion)
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

xmichielx

  • Newbie
  • *
  • Posts: 44
  • Karma: 0
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #41 on: August 09, 2018, 11:36:08 am »
I must nuance my 'rant' about Suricata; after enabling just the ones that are the most necessary for me (aka trojan, malware, mobile_malware, explot) and using Hyperscan I get a more reasonable ~14-16 MB/s (where 22 MB/s is my max) which is acceptable for me.
I no have the benefit of using a NIDS/IPS blocking/filtering on the LAN/GUEST_VLAN interfaces and still remain some of my bandwidth.
So big tip for all APU 2 users: use the Hyperscan Scan engine and choose only what is necessary.
I did not use any of the tweaks except above mentioned :)
« Last Edit: August 10, 2018, 09:42:03 am by xmichielx »
Logged

dcol

  • Hero Member
  • *****
  • Posts: 633
  • Karma: 50
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #42 on: August 09, 2018, 04:02:23 pm »
Using only rules that are 'necessary' is always the proper method. Just takes some homework. If your internal LAN is trusted, then you don't need to use IDS on it. Logic is always the best approach.
Logged

xmichielx

  • Newbie
  • *
  • Posts: 44
  • Karma: 0
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #43 on: August 10, 2018, 09:42:58 am »
I use the IPS mainly for my LAN/Guest VLAN since I want to detect malware. But I can understand that people also use it on front of their servers etc.
PS changing the networks from 3 private ranges to only 192.168.0.0/16 seems also to effect the bandwith (+/- 1 or 2 MB/s profit!)
« Last Edit: August 10, 2018, 09:53:07 am by xmichielx »
Logged

Julien

  • Hero Member
  • *****
  • Posts: 666
  • Karma: 33
    • View Profile
Re: Performance tuning for IPS maximum performance
« Reply #44 on: November 17, 2018, 02:06:28 am »
Quote from: xmichielx on August 10, 2018, 09:42:58 am
I use the IPS mainly for my LAN/Guest VLAN since I want to detect malware. But I can understand that people also use it on front of their servers etc.
PS changing the networks from 3 private ranges to only 192.168.0.0/16 seems also to effect the bandwith (+/- 1 or 2 MB/s profit!)
Our internal LAN is trusted as its clean and we know what is running in the internal.
Do you mean we do not need to use IDS for this ? we do have some servers behind and want them to be protect

we keep having one alert from this IP 150.109.50.77 on port 25 in and out and the action is allowed

Code: [Select]
Timestamp 2018-11-17T01:58:28.386557+0100
Alert SURICATA SMTP data command rejected
Alert sid 2220008
Protocol TCP
Source IP 2.51.55.22
Destination IP 150.109.50.77
Source port 25
Destination port 35064
Interface wan
any suggestions how to trade this alert ?
Logged
OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023

  • Print
Pages: 1 2 [3] 4 5 ... 7
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Intrusion Detection and Prevention »
  • Performance tuning for IPS maximum performance
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2