Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 22 replies
  • Subscribers 9 subscribers
  • Views 6814 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9.705-3 Intrusion Prevention

RichardHughes1

Hello,

I appear to be having some trouble with the Intrusion Prevention on my UTM. When I have Intrusion Prevention enabled, my network speeds are reduced dramatically. For example, my WAN connection; with and without Intrusion Prevention enabled:

Enabled - Download: 98Mbps
Disabled - Download: 206Mbps

I have tried changing various settings within Intrusion Prevention (whilst still having it enabled), but this made no improvement in the network speed. I had a look in the live-log whilst trying a speedtest and I had a large amount of this entry:

S5: Session exceeded configured max bytes to queue 1048576 using 1053000 bytes (client queue).

I tried doing some searches online for this but I can't seem to find anything other than it's nothing to worry about... but I'm pretty sure this is telling me what the problem is? Is it possible to increase the max bytes to queue? I'm currently using only 35% of 8GB RAM on this box.

Cheers,
Richard



This thread was automatically locked due to age.

Top Replies

  • +1

    I've always assumed that the snort single instance was the crux of the speed test always capping at <=100Mbps problem.

    I upgraded to 9.705-3 this morning and decided to search to see if I could find problems anyone else was reporting so I could be aware in case I experienced similar issues, and saw this thread.

    In the past I've found some things Bob has mentioned about settings that helped tune IPS but I never got over 100Mb (like 105 would be the highest burst I would see)

    Today I decided to spend some time playing with settings and I found an odd anomaly.
    ****disclaimer I'm not an expert at Sophos UTM, I've been using since Astaro 'in 2007ish I think', but follow the recommendations of support, and then defer to Bob, be ready to assume your own risks****

    Prior to 9.705-3, I had already set my num_instances to 7 for my 8 cpu VM: (default = 0 which is supposed to be n-1)

    cc set ips num_instances 7

    Prior to 9.705-3, I had already adjusted my queue_length:

    cc set ips queue_length 16384

    Today I decided to play with max_queued_bytes and immediately saw the speed increase:

    cc set ips snortsettings max_queued_bytes 2097152

    The anomaly was when I changed my max_queued_bytes back to 0 I'm still getting 220+Mbps. I've rebooted the UTM to be sure it wasn't a fluke, and I'm seeing similar S5 logs for max bytes:

    2020:10:03-07:14:21 vue-utm9fw snort[5551]: S5: Session exceeded configured max bytes to queue 1048576 using 1050867 bytes (client queue). 192.168.0.10 54928 --> 172.102.72.17 8080 (0) : LWstate 0x9 LWFlags 0x4e007
    2020:10:03-07:14:21 vue-utm9fw snort[5551]: S5: Pruned session from cache that was using 1060929 bytes (stale/timeout). 192.168.0.10 54446 --> 172.102.72.17 8080 (0) : LWstate 0x9 LWFlags 0xe007
    So I can't explain why now after being back to max_queued_bytes 0 I'm not seeing the same results as before, I'm not seeing any abnormal spikes in memory or cpu on my vsphere realtime charts.
    ****I am not advocating you do this****
    ****change settings at own risk****
    ****this reply is only to share my experience****
    Jump to answer
Parents
  • 0

    I'm having similar issues. I'm constantly having to up the queue_length and max_queue_bytes with all these log errors.  I'm currently at  queue_length 32768 and max_queue_bytes 1000000. 

    Also why is our Snort version so old? it's 2.9.11.2 which is years old on the latest firmware. Can we not get it upgraded to at least the latest 2.9.x version? I mean 3.0 is in beta.

  • 0 in reply to Sophos User287

    Snort 2.9.11.2?  It's very difficult to vet and modify a new version for inclusion in a security product like UTM.  Most every module is several years old.  Instead of attempting to integrate every new version, the existing code is modified when there are new vulnerabilities found - that permits a faster response than bringing in the new version with the vulnerability repaired.

    Your current max_queue_bytes appears to be lower than the OP's.  What do you get with the following?

    cc get ips snortsettings max_queued_bytes

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Sophos User287

    Snort 2.9.11.2?  It's very difficult to vet and modify a new version for inclusion in a security product like UTM.  Most every module is several years old.  Instead of attempting to integrate every new version, the existing code is modified when there are new vulnerabilities found - that permits a faster response than bringing in the new version with the vulnerability repaired.

    Your current max_queue_bytes appears to be lower than the OP's.  What do you get with the following?

    cc get ips snortsettings max_queued_bytes

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Seem to be plenty of vulns being fixed if you check the changelog but anyway, not the real problem..

    cc get ips snortsettings max_queued_bytes
    10000000

    What we need to be able to do is modify memcap which seems to be hard set at the value. Is that possible? Or is this command supposed to do that because I don't see it changing.

  • 0 in reply to Sophos User287

    Ahhh, I didn't count the 0s correctly before!   Are you still getting max_queued_bytes warnings?

    What are you seeing relative to memcap?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yeah still getting max_queued_bytes error. Mind you, I've been increasing it gradually since it was at default and I'm yet to find a setting that it's happy at. Not sure where it's going to stop but at this rate, it wont :)  I'm also running two instances of snort as we have 4 cpu's, it didn't like 3 for some reason, maybe the cpu's are just over worked with 3 but these 330's should be fine.

    memcap is always at the limit has not changed its setting. I'm not ram limited so why it's so hard set is beyond me.