This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is the best way to accelerate SNORT/IDS/IPS? It's cutting my bandwidth in half?!

I am on Gigabit FIOS symmetric. W/O IPS/IDS/SNORT I get about 890 Mbit/s once I turn on IPS/IDS/SNORT regardless on how many rules I have there I get between 360 to 390 Mbit/s (via speedtest by Ookla...same test for 890) the range is respective from LINUX only rules to the WHOLE SHEBANG EVERYTHING ON so in the end I am getting about half the download speed by just turning the IPS/IDS/SNORT on....what the hell?!!! There must be a way to optimize it...I mean come on LINUX vs EVERYTHING and I only gain 30 Mbit/s?!

This thread was automatically locked due to age.

Parents

0 rfcat_vk over 7 years ago

Hi Rick,

what error values are reported in the IPS settings and do your logs/reports show any rule that is causing the slowdown?

What functions of IPS do you enable? There is another thread that recommends not to use the TCP flood after setup.

Ian
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rfcat_vk over 7 years ago

Hi Rick,

what error values are reported in the IPS settings and do your logs/reports show any rule that is causing the slowdown?

What functions of IPS do you enable? There is another thread that recommends not to use the TCP flood after setup.

Ian
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Pickle Rick over 7 years ago in reply to rfcat_vk

Before I dive too deep what is the best place and best way to report these? I have bunch of logs but ummm I want to parse them the best that is receptive to the community.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 7 years ago in reply to Pickle Rick

Hi Rick,

as a home user this forum is the only place within the Sophos environment. There are more than likely user forums on the SNORT web site that might be able to assist?

A screenshot of your IPS page, might lead to some others joining in the discussion?

Some tips from the UTM snort settings, you need to possibly run two test sessions because snort is a little slow in ramping up. If you have power saving enabled snort doesn't ramp up unless there are a couple of users pulling data. Snort is still a single threaded application with a lot of XG and UTM users anticipating the move to a multi-threaded snort.

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Pickle Rick over 7 years ago in reply to rfcat_vk

Thanks for the advice here it is.

The Linux (Raspi) and Everything (Paranoid Android) and FW Configuration...Paranoid applies to default.
Cancel
Vote Up 0 Vote Down

Cancel
0 rrosson over 7 years ago in reply to Pickle Rick

If you are a home user. have you taken a look here: https://shred086.wordpress.com/2017/12/20/sophos-xg-creating-a-custom-ips-policy/ for starters.

Keep in mind only enable rules based on what you have and are protecting on your network. If you have have no DMZ with hosts serving up content for Internet then you do not need Internet to server type rules and you would concentrate on client based rules.

Hope this helps.

-Ron
Cancel
Vote Up 0 Vote Down

Cancel
0 Pickle Rick over 7 years ago in reply to rrosson

Is the Sophos own served up website (where users can download their certs etc) auto protected? Or does it require an IPS Server rule?
Cancel
Vote Up 0 Vote Down

Cancel
0 rrosson over 7 years ago in reply to Pickle Rick

Pickle Rick said:

Is the Sophos own served up website (where users can download their certs etc) auto protected? Or does it require an IPS Server rule?

I do not understand what you are asking. The certificates that are in use straight out of the box in the Sophos XG appliance can be downloaded and added to your network as a trusted CA.

Hope this Helps.

-Ron
Cancel
Vote Up 0 Vote Down

Cancel