Snort Inline IPS Speeds
-
I was running snort inline ips. I understand that it affects my speeds. But I didn't know it was this bad. I am using verizon fios, and get speeds as follows:
This is when I am NOT running snort on my device.
When running Snort, I get about 10/10. Is this normal? I don't believe I went crazy with the rulesets....
I am using a IP reputation list. -
You omitted some needed information such as what exact type of hardware is pfSense running on and how much RAM is available? Snort is single-threaded and thus works best with very high clock speed CPUs. With Snort, it's the CPU clock speed that matters most and not the number of cores as only a single core will ever be used by Snort.
Typically I would expect throughput speed with IPS enabled to be 75% to as low as 50% of the speed you get with IPS disabled. But that all really depends on the enabled rules. And it's not just the number of enabled rules. What those rules are doing matters as well. Some rules can be computationally intense with pattern matching. You mention IP reputation list rules. Those will be the least computationally intense.
Your throughput should definitely be better than 10/10 (I assume you mean megabits/second with those values) unless you have truly anemic hardware.
-
@bmeeks
It is the Protectli FW4B - 4 Port Intel
J3160. I have 8 GB RAM total. -
@droidus said in Snort Inline IPS Speeds:
@bmeeks
It is the Protectli FW4B - 4 Port Intel J3160. I have 8 GB RAM total.That hardware should easily do much better than the 10/10 you said you are seeing.
I can already guess your next question, but sorry, "no, I have no idea why you are not seeing better performance" ...
. That slow throughput is certainly not the case with many other users here on similar types of hardware in terms of capability. You will likely never get line-rate Gigabit traffic inspection with Snort unless you have a screaming fast CPU, but you should get better than 200 Mbps with most hardware.
