Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 28 October 2021, 04:11:50 am

Login with username, password and session length

Download the latest community FREE version  HERE
14125 Posts in 4313 Topics by 6241 Members
Latest Member: ganneganz
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  IPS (SNORT) low network speed; is Endian old news?
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: IPS (SNORT) low network speed; is Endian old news?  (Read 26984 times)
sourcefinder
Full Member
***
Offline Offline

Posts: 23


« on: Wednesday 11 September 2013, 06:20:06 am »

Hi folks,

I've used Endian for about two years now.  Since about a week I upgraded my internet connection from 25 Mbps download/1.5 Mbps upload to to 60 Mbps download/6 Mbps upload (UPC, Netherlands). I've got two systems to test with; an Intel D525MO (Intel Atom Dualcore 1.8 Ghz) with 1 Gb RAM and an Intel Celeron DualCore E1200 (1.6 Ghz) with 2 Gb RAM. Harddisks are 80 Gb (Atom) and 250 Gb (Celeron). When I activate IPS, the download speed is about 35 Mbps. Without IPS, the download speed is about 60 Mbps. Tested on Endian 2.5.1 and 2.5.2. Searched on diverse forums, it seems to be a bug in the Endian firmware for quite a while. Untangle doesn't give me the possibilities that Endian supplies, but the problem with IPS (snort) on Endian has forced me to look to other UTM solutions. Untangle does give me the full download speed.

Two questions:
- Has anyone on this forum got the same experience with the performance of IPS/SNORT on endian?
- With naming this problem, why should users still choose for Endian instead of Untangle or other solutions?

Logged
DarkQuark
Jr. Member
*
Offline Offline

Posts: 8


« Reply #1 on: Wednesday 11 September 2013, 06:39:15 am »

I have had such issues before with things similar to Endian with low end CPU's .  I would check your CPU usage when you are testing.  You must realize that everything the system is doing consumes resources which all come from your CPU and RAM.  This would be in contrast to something like a Cisco firewall which has other on board specialized resources for certain tasks.

I could be wrong of course but I have seen such systems get bogged down before.
Logged
sourcefinder
Full Member
***
Offline Offline

Posts: 23


« Reply #2 on: Wednesday 11 September 2013, 10:14:27 am »

Hi DarkQuark, thanks for your reaction.

The CPU usage on both systems is about 2%. Memory use on the atom was about 80%, so i expanded the memory to 3 Gb. The results are the same. On the celeron E1200 the memory usage was about 40%. According to the system stats the hardware can't be the probmen. On the time of the tests only one user (me) was connected. I did a clean install with both systems. By the way, I used original Intel Pro 1000GT network cards (PCI).

I can test an Intel E5200 to see what the performance is with IPS activated, but I just can't imagine that such powerfull hardware is needed to use IPS on an Endian with only one or two users connected.

Logged
green_dan
Jr. Member
*
Offline Offline

Posts: 1


« Reply #3 on: Thursday 12 September 2013, 03:48:16 am »

I had this issue as well with a 50Mbps connection dropping to 20Mbps with the IPS enabled. The issue I found lies in the fact that by default endian has the Snort search-method parameters to "lowmem" which keeps most of the rules out of memory. Since I have 3gigs of memory (4GB actual) I set it in the snort.conf to use full memory with the "ac" setting. I should say here that I also have all rules enabled and set to block (I adjust them as false positives are noticed). My connection speeds then were running correctly at the full 50Mbps connection speeds. You have to SSH into the endian however and edit the /etc/snort/snort.conf.tmpl and reboot the system. This will use a lot of RAM, so you may want to search for "Snort Search-methods" and look at the available options depending on available RAM. Also be aware that if you run the "ac" method it will take a while for all of the rules to load into memory, so reboots of the endian get much more painful, mine takes about 10-15 minutes to completely reboot and become operational. I have also noticed that 2.5.2 has some issues with connection speeds and http proxy, so for now I have reverted to 2.5.1 which is running great. If you do make these changes, be sure to check them after updating endian versions, I did have to redo the search parameter after the 2.5.2 upgrade but like I said, I downgraded back to 2.5.1 after noticing some issues.

For Reference:
Intel Atom D2500
4GB (3Gb accessable)
3 Intel 1GBE NIC ports
320Gb HDD
Endian 2.5.1

Dan
Logged
sourcefinder
Full Member
***
Offline Offline

Posts: 23


« Reply #4 on: Thursday 12 September 2013, 04:44:21 am »

Thanks Dan, that is usefull information! Of course i'm stubborn; I will try the "ac" setting on 2.5.2 first. When this doesn't work, I'll go back to 2.5.1 as you suggested. Of course I will post my experiences; will be friday or saturday.
Logged
sourcefinder
Full Member
***
Offline Offline

Posts: 23


« Reply #5 on: Thursday 12 September 2013, 07:43:54 am »

I've edited /etc/snort/snort.conf.tmpl as Dan suggested, but with the following rule:

config detection: serach-method ac-bnfa


With thanks to the following site: http://manual.snort.org/node16.html


On Endian 2.5.2 this works perfect; I've got full network speed now, with IPS activated (no further adjustments implemented). Also the Endian 2.5.2 starts in about a minute with ac-bna activated.

Dan, thanks for your help on this topic! Hope other Endian users can use this topic, strange that Endian itself doesn't give the choise for this config detection in the GUI.




Logged
sourcefinder
Full Member
***
Offline Offline

Posts: 23


« Reply #6 on: Thursday 12 September 2013, 07:54:28 am »

And now the last question; how do I add the tag 'SOLVED' to this topic?
Logged
sourcefinder
Full Member
***
Offline Offline

Posts: 23


« Reply #7 on: Thursday 12 September 2013, 06:15:43 pm »

Last edit: with configuration set to ac-bna the EFW got slower. I've set it to ac (as suggested by Dan) and got full speed.
Logged
rcryniak
Jr. Member
*
Offline Offline

Posts: 1


« Reply #8 on: Sunday 21 December 2014, 04:42:35 am »

BUMP - Even as old as this topic is... it's worthy of a bump since it helped me get my 125mbps connection up to speed.  The IDS on EFW 3.0 was slowing it down to low 50's.  Well done guys, and THANK you for the very welcome assist.
Logged
sourcefinder
Full Member
***
Offline Offline

Posts: 23


« Reply #9 on: Tuesday 23 December 2014, 06:01:37 am »

Hi rcryniak,

Glad this topic helped you out!

So EFW 3.0 has got the same problem with low connection speed with IPS enabled? Did you upgrade from 2.5.2 or reinstalled the system? My connection speed is about 60 mbps on a new installed EFW 3.0, without any adjustments on snort.conf.tmpl. This is the max. internet connection speed according to my contract. I've upgraded the hardware; instead of an Intel Atom, I use an Intel Core i3 3225 now.

Logged
fredbloggstwo
Jr. Member
*
Offline Offline

Posts: 5



« Reply #10 on: Saturday 25 September 2021, 12:05:47 am »

Hi Folks,

I have the above issue of IPS running slow on quite a meaty machine (4 core Intel with 8Gof memory) and need to make the suggested changes.

I am a complete novice (but learning) about Linux and would be grateful if someone could give me some mickey mouse instructions on how to do this from the Web Console.

Thanks and regards

Mike
Logged
fredbloggstwo
Jr. Member
*
Offline Offline

Posts: 5



« Reply #11 on: Saturday 25 September 2021, 02:42:34 am »

never mind guys

I persevered further and think I have fixed it.

Although the web status page still indicates that IPS is switched off after enabling it on the Services page.

Regards

Mike
Logged
fredbloggstwo
Jr. Member
*
Offline Offline

Posts: 5



« Reply #12 on: Monday 27 September 2021, 03:33:40 am »

Looks like my last post didn't get through.

I have tried all the various options for detection method and it will not allow speeds above 200MB/sec. on a 1GB line  The IPS engine must be capable of higher performance as it in the spec of the Endian Appliances.

With IPS switched off, I am getting 950MB/sec or so.

Any other thoughts as to why it appears to be running slow.

Thanks for any help

Mike
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.109 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com