Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 30 subscribers
  • Views 13029 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What is the best way to accelerate SNORT/IDS/IPS? It's cutting my bandwidth in half?!

Pickle Rick

I am on Gigabit FIOS symmetric.  W/O IPS/IDS/SNORT I get about 890 Mbit/s once I turn on IPS/IDS/SNORT regardless on how many rules I have there I get between 360 to 390 Mbit/s (via speedtest by Ookla...same test for 890) the range is respective from LINUX only rules to the WHOLE SHEBANG EVERYTHING ON  so in the end I am getting about half the download speed by just turning the IPS/IDS/SNORT on....what the hell?!!!  There must be a way to optimize it...I mean come on LINUX vs EVERYTHING and I only gain 30 Mbit/s?!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Pickle Rick

    Hi Rick,

    as a home user this forum is the only place within the Sophos environment. There are more than likely user forums on the SNORT web site that might be able to assist?

    A screenshot of your IPS page, might lead to some others joining in the discussion?

    Some tips from the UTM snort settings, you need to possibly run two test sessions because snort is a little slow in ramping up. If you have power saving enabled snort doesn't ramp up unless there are a couple of users pulling data. Snort is still a single threaded application with a lot of XG and UTM users anticipating the move to a multi-threaded snort.

    Ian

  • 0 in reply to rfcat_vk

    Thanks for the advice here it is.

     

    The Linux (Raspi) and Everything (Paranoid Android) and FW Configuration...Paranoid applies to default.

     

  • 0 in reply to Pickle Rick

    If you are a home user. have you taken a look here:  https://shred086.wordpress.com/2017/12/20/sophos-xg-creating-a-custom-ips-policy/ for starters.

     

    Keep in mind only enable rules based on what you have and are protecting on your network. If you have have no DMZ with hosts serving up content for Internet then you do not need Internet to server type rules and you would concentrate on client based rules.

    Hope this helps.  

    -Ron

  • 0 in reply to rrosson

    Is the Sophos own served up website (where users can download their certs etc) auto protected?  Or does it require an IPS Server rule?

  • 0 in reply to Pickle Rick

    Pickle Rick said:

    Is the Sophos own served up website (where users can download their certs etc) auto protected?  Or does it require an IPS Server rule?

     

     

    I do not understand what you are asking. The certificates that are in use straight out of the box in the Sophos XG appliance can be downloaded and added to your network as a trusted CA. 

     

    Hope this Helps.

    -Ron