Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Speed drops with snort in Inline Mode

    Scheduled Pinned Locked Moved
    IDS/IPS
    3
    5
    493
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Mircot80M
      Mircot80
      last edited by

      Hi, I activated a 1Gb FTTH, connected directly to the provider's router I get 940Mb download and 940Mb upload.
      I purchased a Topton mini PC / router with Intel N100 cpu, 8GB ram and 4 x intel i226 2.5G, I installed pfsense and noticed this huge difference:

      • With snort active in Legacy Mode when I do a speedtest the CPU usage goes up to 97% and the speed doesn't drop, I get 940Mb download and 940Mb upload.
      • With snort active in Inline Mode when I do a speedtest the CPU usage rises to 99% and the speed drops, I get 200Mb download and 420Mb upload.
        it's normal? Is it a compatibility problem with network cards?
        Thank you
      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        A speed drop is expected when using Inline IPS Mode. How much of a drop is determined by how powerful your CPU is. The N100 is described by Intel as an entry-level CPU.

        I think most folks with powerful CPUs typically see a 25% or so drop in performance. The magnitude of the performance drop is a function of the number of enabled rules and the available single core CPU horsepower.

        Snort is a single-threaded application, so it can only utilize a single CPU core. Suricata may perform better for you as it is multithreaded.

        AmodinA 1 Reply Last reply Reply Quote 1
        • AmodinA
          Amodin @bmeeks
          last edited by

          @bmeeks said in Speed drops with snort in Inline Mode:

          A speed drop is expected when using Inline IPS Mode. How much of a drop is determined by how powerful your CPU is. The N100 is described by Intel as an entry-level CPU.

          I think most folks with powerful CPUs typically see a 25% or so drop in performance. The magnitude of the performance drop is a function of the number of enabled rules and the available single core CPU horsepower.

          Snort is a single-threaded application, so it can only utilize a single CPU core. Suricata may perform better for you as it is multithreaded.

          Snort is a multi-threaded application as of Snort3. Is that not running in the package?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @Amodin
            last edited by

            @Amodin said in Speed drops with snort in Inline Mode:

            Snort is a multi-threaded application as of Snort3. Is that not running in the package?

            No, the Snort package on pfSense is based on the 2.9.x binary which is single threaded only. There are currently no plans to implement Snort3 on pfSense.

            AmodinA 1 Reply Last reply Reply Quote 1
            • AmodinA
              Amodin @bmeeks
              last edited by

              @bmeeks said in Speed drops with snort in Inline Mode:

              @Amodin said in Speed drops with snort in Inline Mode:

              Snort is a multi-threaded application as of Snort3. Is that not running in the package?

              No, the Snort package on pfSense is based on the 2.9.x binary which is single threaded only. There are currently no plans to implement Snort3 on pfSense.

              Oof, good to know. I might have to try out some Suricata, as I was just reading about the differences in another thread you had posted about them.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post