Ways to improve IDS performance in PfSense?

weet9342

Hello everyone,

I'm testing both SNORT and Suricata on my PfSense, and i'm trying to figure out which one will work best in my home network. Currently i want to see if i can improve their performance without reducing their detection capabilities.

I've tried to disable some rules, and also some rule categories that i dont really need, but it didn't improve anything in SNORT or Suricata.

I'm wondering that if i want to improve their performance, the best way is to improve my Pfsense machine, and not trying to tune SNORT or Suricata to handle better (by better i mean with lower impact in bandwidth and usage of processor).

Can someone give me tips on this please? I'm fairly new to IDS.

Thanks in advance

SteveITS

If you put it on the LAN side it won't scan packets that will be blocked by the firewall anyway.

What sort of performance impact are you seeing? What CPU do you have?

weet9342

Hello teamits,

For now i have an IDS scanning in 2 vlans, should i change that? It seems to be working fine.

my CPU is a Intel Xeon 3.4ghz, and for the record, i'm not trying to do this because i'm having issues, i'm trying to understand which will use less CPU, which one will work best, using the less resources.

I was wondering if the main thing impacting the CPU usage was the package of an IDS (SNORT or Suricata) or was the rules that they use

SteveITS

I don't have an answer for you. Neither should be anywhere close to an issue on a Xeon though. :) If I had to guess I would say the rules, since the matching is probably about the same but the choice of 5000 vs 100000 rules would make more difference. In any case I doubt it will be noticeable unless you have a very high speed connection.

In terms of what to scan, I would scan untrusted traffic. I was just saying that if it is scanning the WAN, that happens before the packets get blocked or allowed by the firewall.

weet9342

@teamits, thanks for the heal, i really appreciate it.

I'm not having any issues in my CPU, i just want to optimize it. But yes, i've been disabling some rules and some rulesets and no noticeable improvement was found, so, i'm thinking that there is not much i can do.

Anyway, thank you so much for your help, really really appreciate that :)

NogBadTheBad

@weet9342 said in Ways to improve IDS performance in PfSense?:

ello teamits,
For now i have an IDS scanning in 2 vlans, should i change that? It seems to be working fine.
my CPU is a Intel Xeon 3.4ghz, and for the record, i'm not trying to do this because i'm having issues, i'm trying to understand which will use less CPU, which one will work best, using the less resources.
I was wondering if the main thing impactin

Leave it scanning on your VLANS, if you have an infected machine on your LAN its easier to spot.

Have you just enabled every rule ?

I have snort running on a Netgate SG-4860 1 x WAN & 6 x VLAN, the CPU doesn't hit more that 12%

weet9342

@nogbadthebad

Yes, for now, i have every ruleset enabled, but i'll change that since some rulesets aren't needed.

And yeah, i'm not having CPU issues, i just wanted to understand what i could do in order to improve performance.

Out of curiosity, have you tried Suricata? If so, what made you change to SNORT?

NogBadTheBad

Every ruleset will be an issue, why check every rule set when you don't run the protocol.

Never tried Suricata, Snort works fine for me and when v3.0 is released it should be multi threaded.

https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata

I use IPS Policy Balanced.

weet9342

I had every rule set checked just for testing purposes. But now i will check out if changing IPS policy will do a big improvement in my network. Thank you so much for your help, cheers!