Suricata much worse than guardian?.

Questions to IPFire Addons.
User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5793
Joined: August 11th, 2005, 9:02 am

Re: Suricata much worse than guardian?.

Post by MichaelTremer » April 26th, 2019, 3:31 pm

No, you are confusing many things.

So snort was an IDS. It analyses traffic against rules. If it finds something, it writes it into a log file. That is it.

Guardian reads log files (I think this is why you think it is being very efficient). If there is a brute-force attack on SSH or if snort finds things, it acts on them.

Suricata analyses traffic like snort and if it finds an attack, it won't just log it, but also blocks it.

So that means that Guardian is useless without a detection system. You will need snort. But suricata does not need guardian. Both together do not make much sense.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

DJ-Melo
Posts: 672
Joined: July 8th, 2014, 7:12 am

Re: Suricata much worse than guardian?.

Post by DJ-Melo » April 26th, 2019, 3:57 pm

That meens we don't Need Guardian anymore?

DJ-Melo
Posts: 672
Joined: July 8th, 2014, 7:12 am

Re: Suricata much worse than guardian?.

Post by DJ-Melo » April 26th, 2019, 4:00 pm

Which rule set is recommended? For beginning?

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5793
Joined: August 11th, 2005, 9:02 am

Re: Suricata much worse than guardian?.

Post by MichaelTremer » April 26th, 2019, 4:48 pm

DJ-Melo wrote:
April 26th, 2019, 3:57 pm
That meens we don't Need Guardian anymore?
No, it only stops SSH brute-force attacks on the firewall itself. Suricata also has rules for that.
DJ-Melo wrote:
April 26th, 2019, 4:00 pm
Which rule set is recommended? For beginning?
https://wiki.ipfire.org/configuration/f ... s/rulesets
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

Hellfire
Posts: 695
Joined: November 8th, 2015, 8:54 am

Re: Suricata much worse than guardian?.

Post by Hellfire » April 26th, 2019, 4:48 pm

DJ-Melo wrote:
April 26th, 2019, 3:57 pm
That meens we don't Need Guardian anymore?
Think so, in respect to Michaels posting above.
Image

DJ-Melo
Posts: 672
Joined: July 8th, 2014, 7:12 am

Re: Suricata much worse than guardian?.

Post by DJ-Melo » April 26th, 2019, 5:08 pm

Thanks i will test it.

User avatar
Roberto Peña
Posts: 761
Joined: July 16th, 2014, 3:56 pm
Location: Bilbao (España)
Contact:

Re: Suricata much worse than guardian?.

Post by Roberto Peña » April 27th, 2019, 8:02 am

Michael, excuse me, have you improved something?.

I have degraded the version to 130 and updated again to solve the status of the Service (viewtopic.php?f=6&t=22658#p124054) and now, doing the same tests with the Suricata running, "Suricata-Main" only uses 2% of the CPU.

Can be?.

In the Logs I have detections, but is there any other way to know if it really works?. What can be consulted? or do you know any web page where you can test ?.

I hope so and you have done your magic. >:D

Thanks for everything.
Image
Image

╔════════════════════════════════════════════════╗
Donate to improve IPFire: https://www.ipfire.org/donate
╚════════════════════════════════════════════════╝

DJ-Melo
Posts: 672
Joined: July 8th, 2014, 7:12 am

Re: Suricata much worse than guardian?.

Post by DJ-Melo » April 27th, 2019, 9:26 am

I reinstalled the display problem under Services is gone. I also shut down some rules and uninstalled Guardian. However, the speed is still bad.

Core 131 download speed Measured from our server to your computer 91 | 200 Mbps

Core130 download speed Measured from our server to your computer 218 | 200 Mbps

Stefan87
Posts: 74
Joined: July 20th, 2017, 11:55 pm

Re: Suricata much worse than guardian?.

Post by Stefan87 » April 28th, 2019, 10:55 am

I hope my firewall has enough power for the new ips ... ::) ;D :o

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5793
Joined: August 11th, 2005, 9:02 am

Re: Suricata much worse than guardian?.

Post by MichaelTremer » April 28th, 2019, 11:32 am

It definitely will. It would be nice if we could collect some benchmarks on the wiki so that people who buy hardware can buy the right size.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

DJ-Melo
Posts: 672
Joined: July 8th, 2014, 7:12 am

Re: Suricata much worse than guardian?.

Post by DJ-Melo » April 28th, 2019, 1:43 pm

And those who can not afford new hardware Ids disable?

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5793
Joined: August 11th, 2005, 9:02 am

Re: Suricata much worse than guardian?.

Post by MichaelTremer » April 28th, 2019, 1:51 pm

You cannot have had it enabled before. Snort was a lot slower than suricata is. So yeah... if your hardware is quite slow you cannot run the IPS. But the requirements for that haven’t changed.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: Suricata much worse than guardian?.

Post by BeBiMa » April 28th, 2019, 1:52 pm

Yes!
As before. ;)
Image
Unitymedia Cable Internet ( 32MBit )

DJ-Melo
Posts: 672
Joined: July 8th, 2014, 7:12 am

Re: Suricata much worse than guardian?.

Post by DJ-Melo » April 28th, 2019, 2:09 pm

But with Core 130 and Snort all is performant with the new one it's not. The Config is the same...

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5793
Joined: August 11th, 2005, 9:02 am

Re: Suricata much worse than guardian?.

Post by MichaelTremer » April 28th, 2019, 2:45 pm

Snort will just pass packets even if they are malicious. Also it will only use one core and might not scan 100% of the traffic.

I understand your worry and as I said we are working on performance improvements but the IPS is doing a lot of work and that needs CPU cycles.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

Post Reply