Suricata much worse than guardian?.

[Roberto Peña]

This is my machine:

https://fireinfo.ipfire.org/profile/3c6 ... 468c299bcf

I´ve 100 symmetric Mbits and Suricata gives the impression that it works worse than guardian. With Guardian, the CPU did not arrive with 100 symmetric at 60% CPU.

With my machine, it perfectly held 300 Symmetrical. With 600, it gave 408 Mbits/s

Bad business.

Regards.

[DJ-Melo]

https://blog.ipfire.org/

https://wiki.ipfire.org/configuration/f ... iderations

Detecting intrusion is a very expensive operation. Powerful hardware will be required to perform it in realtime or higher latencies or packet drops will happen.

[Arne.F]

I´ve 100 symmetric Mbits and Suricata gives the impression that it works worse than guardian

guardian only blocks supected ip after analyzing the snort logs, the attack usually reach the target long before the ip is blocked.
suricata intercept the connection in realtime, this add a bit latency and need much more system resources. An APU1 can hande arround 110 mBit/s in one direction.

[Roberto Peña]

Thank you all for responding.

Well, it's a shame. When you talk about using all the threads of the processor, think, "What good !!!, now it will be better !!!" and the reality is different.

The problem is for those of us who have an interesting amount of PCEngines machines. We'll have to stay stuck in the 130.

There is no solution, apart from changing machine for more powerful, Deactivate Suricata if we want to continue updating. No?.

Thanks for everything.

Greetings.

[DJ-Melo]

The speed also breaks down to about 20 mbit instead of just under 50 with all rules active

[MichaelTremer]

The speed also breaks down to about 20 mbit instead of just under 50 with all rules active

Please do not activate all rules. Please read through this: https://wiki.ipfire.org/configuration/f ... -selection

[DJ-Melo]

I sounded QOS I come to 7 instead of 25 MB / s is already a lot of what is lost in terms of performance

thanks Michael vor the hint ich will have a look at needed rules

[DJ-Melo]

I have the rules revised yet the speed is modest Core 130 with ids 200 mbit core 131 with ids 114 mbit

[Roberto Peña]

In my case:

Core130

Code: Select all

[root@bs ~]# ./speedtest-cli --server 10512
Retrieving speedtest.net configuration...
Testing from Telefonica de Espana (88.6.198.61)...
Retrieving speedtest.net server list...
Retrieving information for the selected server...
Hosted by Sarenet (Zamudio) [5.93 km]: 25.655 ms
Testing download speed................................................................................
Download: 438.47 Mbit/s
Testing upload speed................................................................................................
Upload: 272.16 Mbit/s

Core131

Code: Select all

[root@bs ~]# ./speedtest-cli --server 10512
Retrieving speedtest.net configuration...
Testing from Telefonica de Espana (88.6.198.61)...
Retrieving speedtest.net server list...
Retrieving information for the selected server...
Hosted by Sarenet (Zamudio) [5.93 km]: 22.508 ms
Testing download speed................................................................................
Download: 89.09 Mbit/s
Testing upload speed................................................................................................
Upload: 99.58 Mbit/s

It is brutal.

[MichaelTremer]

It is brutal.

Yes, but given the hardware this is an amazing result. We have tuned a lot on that to get it to that speed.

An IPS does an *immense* amount of work. It is busy with many many things from receiving the packets, reordering them, building a byte-stream, parsing HTTP requests or DNS replies. And then there is a huge amount of rules that need to be tested against it.

We have some things in the pipeline that will bring throughput up even further, but we are quite low on development time right now.

[Roberto Peña]

Thanks Michael for your reply.

An idea. Could it be that both solutions (Suricata and Guardian) subsist and that each one choose which one he wants to use?

For machines with a low level of resources -> Guardian. (It is done.)
For machines with a high processing power -> Suricata.

It would be great if this were possible because we all want a Ferrari... but... In the next life maybe

Regards.

[MichaelTremer]

I think that you are confusing Guardian with snort. Snort needs to be switched on to detect alarms and Guardian will react.

Therefore the CPU load will probably be worse with snort.

[Roberto Peña]

I refer to this possibility:

Thanks for your dedication.

[MichaelTremer]

I do not get your point. This is an IPS now. It will drop packets.

[Roberto Peña]

Sorry Michael if I do not know how to explain. The problem is that with PCEngines and Guardian, with 600 symmetric Mbits the IPFire was around 400 Mbits and with Suricata, 90 Mbits.

400 Mbits were manageable but with 90 Mbits, it is unfeasible.

This may be clearer:

or

Suricata (131) and the IDS + Guardian (130) use the same database, right?. Could not both be as ADDONS and that each one use the one he wants?

I do not know, I'm sorry, but with these results, I'll have to stay stuck in 130.