Performance tuning for IPS maximum performance

Started by dcol, December 08, 2017, 05:13:30 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4 5 ... 8
User actions
April 25, 2018, 01:09:29 PM #30
Quote from: mimugmail on April 25, 2018, 05:53:32 AM
IDS or IPS?
Do you use Hyperscan?
yes i am using hyperscan and using Intrusion Detection with IPS mode on see screenshot.
DEC4240 – OPNsense Owner
April 25, 2018, 03:35:17 PM #31 Last Edit: April 25, 2018, 03:40:48 PM by Evil_Sense
I finally found time for some tests..

I first tested with the tunables and a system running for couple weeks.

I then removed the tunables, rebooted, waited for 5 minutes and tested again.

Lastly I added the tunables again, rebooted, waited for 5 minutes and tested again.

As you see, the results are within tolerance, could be because my provider connection doesn't saturate the nic capacity of my apu2c4.
April 25, 2018, 03:36:26 PM #32 Last Edit: April 25, 2018, 04:05:10 PM by Evil_Sense
I also attached utilization screenshots, with the tunables it's higher, but since I don't mind using the hardware a bit more I'm ok with that.

(Second post, because only 4 pictures per posts allowed)
April 26, 2018, 03:04:24 PM #33
Thank you Evil Sens for your answer.
as i understand you didnt really noticed the speed but les on the hardware use.
as i understand i dont mind using the hardware that why we have it there :)
DEC4240 – OPNsense Owner
May 30, 2018, 09:22:41 AM #34
Quote from: dcol on April 10, 2018, 01:02:26 AM
Some of the tunables and settings do come with a resource price. Try reducing the interrupt rate. The queue size is a NIC dependent setting and depends of the buffer size in the NIC itself.

Hi,

Is possible put youtr config, in APU2C4?

I read de tuto, bit when insert the config in the loader.conf, when reboot i lost all config.

I hace a FFTH 600MB/600MB .
IPS/IDS activo :  100/100MB
IDS/IPS not active:   300MB/600MB

Is posible that the APU2C4 is poor hardware?

I have ordered a QOTOM on ALLIEXPRESS core i7 8Gb RAM

Do you think that installing PFSENSE will improve this in the APU2C4?
August 02, 2018, 10:54:36 AM #35
The config should be in loader.conf.local and some in the tunables.
I tried it for the APU 2C4 but still max ~10/11 MB/s with Suricata inline, Snort with some PF magic (PFSense) gives the full bandwidth.
It's not a true inline IPS but works pretty good for home usage.
Perhaps one day when home hardware (like the APU2c4 which is quad core with 4 GB memory) works nicely with Suricata I will switch, untill then I use Snort since losing 60% of your bandwidth is just not worth it.
August 02, 2018, 10:57:02 AM #36
Quote from: xmichielx on August 02, 2018, 10:54:36 AM
The config should be in loader.conf.local and some in the tunables.
I tried it for the APU 2C4 but still max ~10/11 MB/s with Suricata inline, Snort with some PF magic (PFSense) gives the full bandwidth.
It's not a true inline IPS but works pretty good for home usage.
Perhaps one day when home hardware (like the APU2c4 which is quad core with 4 GB memory) works nicely with Suricata I will switch, untill then I use Snort since losing 60% of your bandwidth is just not worth it.

How many rules do you run on Snort vs Suricata? Can you try changing the Scan engine?
August 02, 2018, 04:07:45 PM #37
Two point.
OPNsense does not have Snort. OPNsense was built optimizing Suricata.
Some Snort rules are not compatible with Suricata.
August 09, 2018, 10:17:17 AM #38
Quote from: mimugmail on August 02, 2018, 10:57:02 AM
Quote from: xmichielx on August 02, 2018, 10:54:36 AM
The config should be in loader.conf.local and some in the tunables.
I tried it for the APU 2C4 but still max ~10/11 MB/s with Suricata inline, Snort with some PF magic (PFSense) gives the full bandwidth.
It's not a true inline IPS but works pretty good for home usage.
Perhaps one day when home hardware (like the APU2c4 which is quad core with 4 GB memory) works nicely with Suricata I will switch, untill then I use Snort since losing 60% of your bandwidth is just not worth it.

How many rules do you run on Snort vs Suricata? Can you try changing the Scan engine?

the same ammount; I use the ET Open rules and both work for both Snort and Suricata.
Tried enabling 1 rule to using 15 rules - no difference.
Also tried changing the Scan engine, Hyperscan has the best performance (Intel nic's are used on the APU 2) but no profit there.
August 09, 2018, 10:19:59 AM #39
Quote from: dcol on August 02, 2018, 04:07:45 PM
Two point.
OPNsense does not have Snort. OPNsense was built optimizing Suricata.
Some Snort rules are not compatible with Suricata.

I never said that OPNsense have snort that is why I use/used PFsense.
I know that some Snort rules are incompatible with Suricata, I use the supplied ET Open rules and they work for both IDS/IPS.
Still not related to the performance hit on the APU 2, actually I can not find 1 single post where someone says he has 75%-100% of his/hers bandwidth after using Suricata inline (this has nothing to do with OPNsense but is related to Suricata and its scanning engine which caps bandwidth inline when used on 'smaller' hardware for home use).
August 09, 2018, 10:55:05 AM #40
I think this is somewhat clocking related which impacts higher on slow hardware.
No idea how Snort on PF works, perhaps it adds an pf rules after match which doesn't require real inline so it might be more performant on smaller hardware, but just a guess.


I'm not against building a snort plugin .. but I'm not sure if it's worth the work since IPS on home use is debatable (my personal opinion)
August 09, 2018, 11:36:08 AM #41 Last Edit: August 10, 2018, 09:42:03 AM by xmichielx
I must nuance my 'rant' about Suricata; after enabling just the ones that are the most necessary for me (aka trojan, malware, mobile_malware, explot) and using Hyperscan I get a more reasonable ~14-16 MB/s (where 22 MB/s is my max) which is acceptable for me.
I no have the benefit of using a NIDS/IPS blocking/filtering on the LAN/GUEST_VLAN interfaces and still remain some of my bandwidth.
So big tip for all APU 2 users: use the Hyperscan Scan engine and choose only what is necessary.
I did not use any of the tweaks except above mentioned :)
August 09, 2018, 04:02:23 PM #42
Using only rules that are 'necessary' is always the proper method. Just takes some homework. If your internal LAN is trusted, then you don't need to use IDS on it. Logic is always the best approach.
August 10, 2018, 09:42:58 AM #43 Last Edit: August 10, 2018, 09:53:07 AM by xmichielx
I use the IPS mainly for my LAN/Guest VLAN since I want to detect malware. But I can understand that people also use it on front of their servers etc.
PS changing the networks from 3 private ranges to only 192.168.0.0/16 seems also to effect the bandwith (+/- 1 or 2 MB/s profit!)
November 17, 2018, 02:06:28 AM #44
Quote from: xmichielx on August 10, 2018, 09:42:58 AM
I use the IPS mainly for my LAN/Guest VLAN since I want to detect malware. But I can understand that people also use it on front of their servers etc.
PS changing the networks from 3 private ranges to only 192.168.0.0/16 seems also to effect the bandwith (+/- 1 or 2 MB/s profit!)
Our internal LAN is trusted as its clean and we know what is running in the internal.
Do you mean we do not need to use IDS for this ? we do have some servers behind and want them to be protect

we keep having one alert from this IP 150.109.50.77 on port 25 in and out and the action is allowed

Code Select
Timestamp 2018-11-17T01:58:28.386557+0100
Alert SURICATA SMTP data command rejected
Alert sid 2220008
Protocol TCP
Source IP 2.51.55.22
Destination IP 150.109.50.77
Source port 25
Destination port 35064
Interface wan
any suggestions how to trade this alert ?
DEC4240 – OPNsense Owner
Print
Go Up Pages 1 2 3 4 5 ... 8
User actions