Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 28 subscribers
  • Views 18426 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can snort_inline have multiple instances?

ygary

I moved from UTM 9 to Sophos XG Firewall Home Edition recently. I really like the new look and feel but seems the new system has worse IPS performance, and this makes me considering rolling back to UTM 9. 

I asked a throughput question in another board. I thought the issue is due to my NICs. But it turned out that the bottleneck is on IPS. So I decided to do some tests.

UTM 9's throughput may reduce if I select more IPS rules. But it is surprised me that even I have very limited rules in XG, IPS still runs slowly. top shows snort_inline utilizes 100% of a CPU core if IPS or ATP is enabled, no matter how many rules are enabled. 

I understand that snort_inline is not a multi-thread process. But when I used multiple computers, I found that they shared a same snort_line process!  My system is installed on a ESXi VM that is assigned 2 cores. I could see only one core was fully loaded. 

Is there a way to tune snort_inline? Is it possible to run multiple instances so that multiple core system can have better throughput?

All my tests are based on iperf3 and NFS file copying. 

Thanks



This thread was automatically locked due to age.
  • 0

    GaryY,

    Snort 3.x will fully support multi instances but it not yet officially available. What I have seen from XG, connecting to console and typing: show ips-settings  you can see how many IPS instances are available and how many CPU are used.

    You also can try to add ips instances using the command: set ips ips-instance add IPS cpu.

  • 0 in reply to lferrara

    Thank you, Luk, I will try. Hope this can improve multi-user performance.

  • 0 in reply to lferrara

    lferrara said:

    GaryY,

    Snort 3.x will fully support multi instances but it not yet officially available. What I have seen from XG, connecting to console and typing: show ips-settings  you can see how many IPS instances are available and how many CPU are used.

    You also can try to add ips instances using the command: set ips ips-instance add IPS cpu.

     

    I tried running 'ips-settings' in the console but I'm just getting 'Error: Unknown Parameter 'ips-settings'. I also tried this in the advanced shell but the same thing. Any ideas how I can check how many Snort instances are running and how to add additional instances?

  • 0 in reply to shred

    Hi,

    you need to use 'show ips-settings' in the console.

    Ian

  • 0 in reply to rfcat_vk

    Thanks! That worked. So if I'm reading this correctly, there are four instances of IPS running, one on each core? If that's the case, I'm really surprised my download speed is limited to 300 Mbps (out of 900 Mbps) on a Core i5-5250U. Are there any IPS settings we can tweak to increase performance? I never see my CPU going over 10% during a speed test.

  • 0 in reply to shred

    Have a look at your DOS attack reports and see which if any protocol is causing the grief. You can then tune that protocol or turn it while you test. What new values you would use I have no idea.

    ian

  • 0 in reply to rfcat_vk

    I'm not exactly sure what you mean, would you be able to elaborate?

    I'm not sure how DoS attacks has anything to do with my bandwidth speed and how many Snort instances are running. I actually don't have any DoS settings setup therefore I wouldn't expect to see anything on the 'DoS Attacks' tab/view because that's simply showing if traffic is being dropped based on DoS being setup (which I don't have setup).

    What I'm asking is if there's any IPS settings (likely from the console) that I could adjust to increase my bandwidth when running IPS. I'm surprised with four instances of Snort running (if I'm reading the console correctly using show ops-settings) that I'm limited to ~300 Mbps down. It's also interesting that decreasing the number of signatures has no impact on speeds which is exactly opposite of my experience with other firewalls such as pfSense or OPNsense. I'm almost wondering if I'm running too many instances of Snort... I have an Intel Core i5-5250U which is a 2 core CPU but with hyper threading, shows up as 4 cores and Sophos XG is showing 4 instances of Snort running on 4 different cores.

  • 0 in reply to shred

    Hi,

    in earlier versions of XG when running speed tests the DoS attack used to see the downloads as an network attack, so I had to disable TCP, UDP and SNC other so that my links could reach their full potential of 4mb/s.

    Now since then I think the defalt values have increased because I have re-enabled the protection and nothing is reported. Though from my previous UTM there were packets dropped even though nothing was reported in the daily reports, only in the IPS logs.

    William Warren did a long investigation into snort and hyperthreading for the UTM and in his opinion hyperthreading did not improve performance, while it adds another thread, it does not add another core.

    When running the tests does your CPU and memory peak?

    Ian

    Added info. I just enabled tcp flood protection and immediatetly lost 1.5mb/s on download and 60kb/s on upload. Those figures might not seem much to, but are significant drop to me. The DOS attack showed packet drop in both directions.

  • 0 in reply to rfcat_vk

    That all makes sense but again, all of my DoS settings are turned off (by default) so none of this applies in my situation. During speed tests, my CPU gets to around 40-50% and memory usage doesn’t change at all. I’m not sure if this is just a hardware limit as the Intel Core i5-5250U is a low energy dual core CPU (1.6GHz base speed with max up to 2.7GHz) but the CPUs are not coming close to maxing out. Anyways, the questions I have are:

    1) Why does bandwidth throughout not change regardless of the number of IPS signatures are in use?

    2) Are there any IPS settings I can configure through the console to possibly increase bandwidth throughput?

  • 0 in reply to shred

    Understand your point of view. 40-50% cpu looks like 1 core max'ing out? If you ran a second test from a different device you should see about 90% cpu and in theory 600mb/s download because the second snort would start.

    Ian