What is the best way to accelerate SNORT/IDS/IPS? It's cutting my bandwidth in half?!

Pickle Rick said:

I am on Gigabit FIOS symmetric.  W/O IPS/IDS/SNORT I get about 890 Mbit/s once I turn on IPS/IDS/SNORT regardless on how many rules I have there I get between 360 to 390 Mbit/s (via speedtest by Ookla...same test for 890) the range is respective from LINUX only rules to the WHOLE SHEBANG EVERYTHING ON  so in the end I am getting about half the download speed by just turning the IPS/IDS/SNORT on....what the hell?!!!  There must be a way to optimize it...I mean come on LINUX vs EVERYTHING and I only gain 30 Mbit/s?!

I've noticed this same thing. I'm on a Gigabit internet connection as well and without IPS enabled, I can achieve similar speeds of 890 Mbps (Intel i5-5250U). Enabling IPS, it drops to ~300 Mbps regardless of how many signatures are setup in my IPS rule. I've tried it with every signature enabled and just a handful, same exact throughput. I know Snort doesn't support multi-threading so that's definitely a bottleneck for a single connection (i.e. speed test) but you would think trying to scan 1 vs 5000+ signatures should make a difference. I've asked this question multiple times on this forum but no one seems to know. Hopefully someone can explain it, but it definitely doesn't make sense.

I've considered moving over to OPNsense which uses Suricata but having an IPS signature database that is managed by Sophos is definitely a huge plus. I'm assuming Sophos is pushing "premium"/paid level of IPS signatures which great considering Sophos XG Home is free.

Pickle Rick said:

I am on Gigabit FIOS symmetric.  W/O IPS/IDS/SNORT I get about 890 Mbit/s once I turn on IPS/IDS/SNORT regardless on how many rules I have there I get between 360 to 390 Mbit/s (via speedtest by Ookla...same test for 890) the range is respective from LINUX only rules to the WHOLE SHEBANG EVERYTHING ON  so in the end I am getting about half the download speed by just turning the IPS/IDS/SNORT on....what the hell?!!!  There must be a way to optimize it...I mean come on LINUX vs EVERYTHING and I only gain 30 Mbit/s?!

I've noticed this same thing. I'm on a Gigabit internet connection as well and without IPS enabled, I can achieve similar speeds of 890 Mbps (Intel i5-5250U). Enabling IPS, it drops to ~300 Mbps regardless of how many signatures are setup in my IPS rule. I've tried it with every signature enabled and just a handful, same exact throughput. I know Snort doesn't support multi-threading so that's definitely a bottleneck for a single connection (i.e. speed test) but you would think trying to scan 1 vs 5000+ signatures should make a difference. I've asked this question multiple times on this forum but no one seems to know. Hopefully someone can explain it, but it definitely doesn't make sense.

I've considered moving over to OPNsense which uses Suricata but having an IPS signature database that is managed by Sophos is definitely a huge plus. I'm assuming Sophos is pushing "premium"/paid level of IPS signatures which great considering Sophos XG Home is free.

Hi,

what do see in this tab on your XG?

Do you see any large values that increase when you attempt to download?

Ian

I don't have DoS protection enabled.

Hi,

two things,

1/. XG treats SNORT differently to the UTM eg tuning the UTM improves throughput but not on XG

2/. what rule/s are you seeing triggered when you do your speediest?

Ian