Suricata much worse than guardian?.

Questions to IPFire Addons.
User avatar
Roberto Peña
Posts: 761
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Suricata much worse than guardian?.

Post by Roberto Peña » April 24th, 2019, 8:56 am

This is my machine:

https://fireinfo.ipfire.org/profile/3c6 ... 468c299bcf

I´ve 100 symmetric Mbits and Suricata gives the impression that it works worse than guardian. With Guardian, the CPU did not arrive with 100 symmetric at 60% CPU.
Test.jpg
With my machine, it perfectly held 300 Symmetrical. With 600, it gave 408 Mbits/s

Bad business. :'(

Regards.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

DJ-Melo
Posts: 672
Joined: July 8th, 2014, 7:12 am

Re: Suricata much worse than guardian?.

Post by DJ-Melo » April 24th, 2019, 9:41 am

https://blog.ipfire.org/

https://wiki.ipfire.org/configuration/f ... iderations
Detecting intrusion is a very expensive operation. Powerful hardware will be required to perform it in realtime or higher latencies or packet drops will happen.

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8516
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: Suricata much worse than guardian?.

Post by Arne.F » April 24th, 2019, 1:57 pm

I´ve 100 symmetric Mbits and Suricata gives the impression that it works worse than guardian
guardian only blocks supected ip after analyzing the snort logs, the attack usually reach the target long before the ip is blocked.
suricata intercept the connection in realtime, this add a bit latency and need much more system resources. An APU1 can hande arround 110 mBit/s in one direction.
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

User avatar
Roberto Peña
Posts: 761
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Suricata much worse than guardian?.

Post by Roberto Peña » April 24th, 2019, 3:47 pm

Thank you all for responding.

Well, it's a shame. When you talk about using all the threads of the processor, think, "What good !!!, now it will be better !!!" and the reality is different.

The problem is for those of us who have an interesting amount of PCEngines machines. We'll have to stay stuck in the 130.

There is no solution, apart from changing machine for more powerful, Deactivate Suricata if we want to continue updating. No?.

Thanks for everything.

Greetings.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

DJ-Melo
Posts: 672
Joined: July 8th, 2014, 7:12 am

Re: Suricata much worse than guardian?.

Post by DJ-Melo » April 25th, 2019, 4:08 pm

The speed also breaks down to about 20 mbit instead of just under 50 with all rules active

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5793
Joined: August 11th, 2005, 9:02 am

Re: Suricata much worse than guardian?.

Post by MichaelTremer » April 26th, 2019, 9:28 am

DJ-Melo wrote:
April 25th, 2019, 4:08 pm
The speed also breaks down to about 20 mbit instead of just under 50 with all rules active
Please do not activate all rules. Please read through this: https://wiki.ipfire.org/configuration/f ... -selection
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

DJ-Melo
Posts: 672
Joined: July 8th, 2014, 7:12 am

Re: Suricata much worse than guardian?.

Post by DJ-Melo » April 26th, 2019, 9:32 am

I sounded QOS I come to 7 instead of 25 MB / s is already a lot of what is lost in terms of performance

thanks Michael vor the hint ich will have a look at needed rules

DJ-Melo
Posts: 672
Joined: July 8th, 2014, 7:12 am

Re: Suricata much worse than guardian?.

Post by DJ-Melo » April 26th, 2019, 1:11 pm

I have the rules revised yet the speed is modest Core 130 with ids 200 mbit core 131 with ids 114 mbit

User avatar
Roberto Peña
Posts: 761
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Suricata much worse than guardian?.

Post by Roberto Peña » April 26th, 2019, 1:21 pm

In my case:

Core130

Code: Select all

[root@bs ~]# ./speedtest-cli --server 10512
Retrieving speedtest.net configuration...
Testing from Telefonica de Espana (88.6.198.61)...
Retrieving speedtest.net server list...
Retrieving information for the selected server...
Hosted by Sarenet (Zamudio) [5.93 km]: 25.655 ms
Testing download speed................................................................................
Download: 438.47 Mbit/s
Testing upload speed................................................................................................
Upload: 272.16 Mbit/s
Core131

Code: Select all

[root@bs ~]# ./speedtest-cli --server 10512
Retrieving speedtest.net configuration...
Testing from Telefonica de Espana (88.6.198.61)...
Retrieving speedtest.net server list...
Retrieving information for the selected server...
Hosted by Sarenet (Zamudio) [5.93 km]: 22.508 ms
Testing download speed................................................................................
Download: 89.09 Mbit/s
Testing upload speed................................................................................................
Upload: 99.58 Mbit/s
It is brutal.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5793
Joined: August 11th, 2005, 9:02 am

Re: Suricata much worse than guardian?.

Post by MichaelTremer » April 26th, 2019, 1:51 pm

Roberto Peña wrote:
April 26th, 2019, 1:21 pm
It is brutal.
Yes, but given the hardware this is an amazing result. We have tuned a lot on that to get it to that speed.

An IPS does an *immense* amount of work. It is busy with many many things from receiving the packets, reordering them, building a byte-stream, parsing HTTP requests or DNS replies. And then there is a huge amount of rules that need to be tested against it.

We have some things in the pipeline that will bring throughput up even further, but we are quite low on development time right now.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

User avatar
Roberto Peña
Posts: 761
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Suricata much worse than guardian?.

Post by Roberto Peña » April 26th, 2019, 2:11 pm

Thanks Michael for your reply.

An idea. Could it be that both solutions (Suricata and Guardian) subsist and that each one choose which one he wants to use?

For machines with a low level of resources -> Guardian. (It is done.)
For machines with a high processing power -> Suricata.

It would be great if this were possible because we all want a Ferrari... but... In the next life maybe >:D

Regards.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5793
Joined: August 11th, 2005, 9:02 am

Re: Suricata much worse than guardian?.

Post by MichaelTremer » April 26th, 2019, 2:57 pm

I think that you are confusing Guardian with snort. Snort needs to be switched on to detect alarms and Guardian will react.

Therefore the CPU load will probably be worse with snort.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

User avatar
Roberto Peña
Posts: 761
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Suricata much worse than guardian?.

Post by Roberto Peña » April 26th, 2019, 3:09 pm

I refer to this possibility:
Choice.jpg
Thanks for your dedication.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5793
Joined: August 11th, 2005, 9:02 am

Re: Suricata much worse than guardian?.

Post by MichaelTremer » April 26th, 2019, 3:13 pm

I do not get your point. This is an IPS now. It will drop packets.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

User avatar
Roberto Peña
Posts: 761
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Suricata much worse than guardian?.

Post by Roberto Peña » April 26th, 2019, 3:28 pm

Sorry Michael if I do not know how to explain. The problem is that with PCEngines and Guardian, with 600 symmetric Mbits the IPFire was around 400 Mbits and with Suricata, 90 Mbits.

400 Mbits were manageable but with 90 Mbits, it is unfeasible.

This may be clearer:
Choice1.jpg
or

Suricata (131) and the IDS + Guardian (130) use the same database, right?. Could not both be as ADDONS and that each one use the one he wants?

I do not know, I'm sorry, but with these results, I'll have to stay stuck in 130.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

Post Reply