Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SG-5100 with suricata enabled throughput drops by 60%

    Scheduled Pinned Locked Moved
    Official Netgate® Hardware
    4
    5
    982
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • von PapstV
      von Papst
      last edited by

      I have configured the suricata package with only one ruleset (snort free rules) and when I enable this on igb0 interface the throughput drops from 480 Mb/s to around 200 Mb/s. Is it really this too much for SG-5100? any hint how to fix suricata to be able to process without so drastic drop. I'm using inline mode.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Which specific rules within the Snort Subscriber Rules set did you enable? The total number of enabled rules will greatly impact throughput.

        You should select and tune an IDS/IPS ruleset so that you only look for threats that are applicable to your network. For example, if you do not have a local public-facing web server, no public-facing (and public serving) DNS server, and no public-facing mail server, then you do not need any of those server rule categories enabled.

        I don't know your experience level with administering an IDS/IPS, but some new users think they just need to enable say the Snort Subscriber Rules and then go enable all the categories and they're good. That is usually way overkill and results in throughput issues.

        If you are new to IDS/IPS administration, I recommend going to the CATEGORIES tab and unchecking any rule categories you have manually checked and instead click the option up above to use an IPS Policy and select the "Connectivity" policy. That's usually all you will need for most networks. And even then, it may be helpful to manually disable some of those policy rules if you do not have open and forwarded ports to some services (such as email, DNS, etc.).

        But even thinning out the enabled rules may still not give you the same throughput you can obtain without an IDS/IPS running. It's just the nature of the beast that routing packets through a bunch of IDS/IPS rules is CPU intensive, and when the CPU is busy inspecting packets it has less time to devote to receiving and transmitting them. Thus throughput suffers.

        1 Reply Last reply Reply Quote 1
        • von PapstV
          von Papst
          last edited by

          @bmeeks Well I already minimised the rule sets to bare minimum and still the drop is drastic. Would SG-6100 solve such issue?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Unlikely, it uses the same CPU. It would only help if you're somehow hitting a NIC issue, the 6100 offers different NICs types.
            Which NICs are you using? Try using the igb ports if you're using ix. Or vice versa.

            Steve

            M 1 Reply Last reply Reply Quote 0
            • M
              markster @stephenw10
              last edited by markster

              @stephenw10 I also have 5100 and running Snort. I have some rules on 2 interfaces - both LAN. I dont have any on WAN side.

              I selected rules in Categories that are relevant to my network.
              My CPU is 4% and RAM 12% used. I am happy how Snort works for me - Legacy Mode.

              My throughput did not change.

              1 Reply Last reply Reply Quote 1
              • First post
                Last post