What is the best way to accelerate SNORT/IDS/IPS? It's cutting my bandwidth in half?!

Hi Rick,

what error values are reported in the IPS settings and do your logs/reports show any rule that is causing the slowdown?

What functions of IPS do you enable? There is another thread that recommends not to use the TCP flood after setup.

Ian

Before I dive too deep what is the best place and best way to report these?  I have bunch of logs but ummm I want to parse them the best that is receptive to the community.

Hi Rick,

as a home user this forum is the only place within the Sophos environment. There are more than likely user forums on the SNORT web site that might be able to assist?

A screenshot of your IPS page, might lead to some others joining in the discussion?

Some tips from the UTM snort settings, you need to possibly run two test sessions because snort is a little slow in ramping up. If you have power saving enabled snort doesn't ramp up unless there are a couple of users pulling data. Snort is still a single threaded application with a lot of XG and UTM users anticipating the move to a multi-threaded snort.

Ian

Thanks for the advice here it is.

The Linux (Raspi) and Everything (Paranoid Android) and FW Configuration...Paranoid applies to default.

If you are a home user. have you taken a look here:  https://shred086.wordpress.com/2017/12/20/sophos-xg-creating-a-custom-ips-policy/ for starters.

Keep in mind only enable rules based on what you have and are protecting on your network. If you have have no DMZ with hosts serving up content for Internet then you do not need Internet to server type rules and you would concentrate on client based rules.

Hope this helps.  

-Ron

Is the Sophos own served up website (where users can download their certs etc) auto protected?  Or does it require an IPS Server rule?

Pickle Rick said:

Is the Sophos own served up website (where users can download their certs etc) auto protected?  Or does it require an IPS Server rule?

 

I do not understand what you are asking. The certificates that are in use straight out of the box in the Sophos XG appliance can be downloaded and added to your network as a trusted CA. 

Hope this Helps.

-Ron

Pickle Rick said:

I am on Gigabit FIOS symmetric.  W/O IPS/IDS/SNORT I get about 890 Mbit/s once I turn on IPS/IDS/SNORT regardless on how many rules I have there I get between 360 to 390 Mbit/s (via speedtest by Ookla...same test for 890) the range is respective from LINUX only rules to the WHOLE SHEBANG EVERYTHING ON  so in the end I am getting about half the download speed by just turning the IPS/IDS/SNORT on....what the hell?!!!  There must be a way to optimize it...I mean come on LINUX vs EVERYTHING and I only gain 30 Mbit/s?!

I've noticed this same thing. I'm on a Gigabit internet connection as well and without IPS enabled, I can achieve similar speeds of 890 Mbps (Intel i5-5250U). Enabling IPS, it drops to ~300 Mbps regardless of how many signatures are setup in my IPS rule. I've tried it with every signature enabled and just a handful, same exact throughput. I know Snort doesn't support multi-threading so that's definitely a bottleneck for a single connection (i.e. speed test) but you would think trying to scan 1 vs 5000+ signatures should make a difference. I've asked this question multiple times on this forum but no one seems to know. Hopefully someone can explain it, but it definitely doesn't make sense.

I've considered moving over to OPNsense which uses Suricata but having an IPS signature database that is managed by Sophos is definitely a huge plus. I'm assuming Sophos is pushing "premium"/paid level of IPS signatures which great considering Sophos XG Home is free.

Hi,

what do see in this tab on your XG?

Do you see any large values that increase when you attempt to download?

Ian

I don't have DoS protection enabled.