If I add an exception in IPS rules to not apply IPS from my internal LAN to ANY am I essentially turning off IPS? I'm not concerned with any device at home attempting malicious activity going outbound so I don't see the need to have IPS from LAN to ANY. I noticed with this exception I get my full Gigabit throughput but if I remove the exception I get cut down to 350-400 Mbps.
Hi Chris,
Disable IPS exception and take SSH to UTM and login as root. Run "wget --no-check-certificate -O - https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py | python". Verify what bandwidth is received on the UTM's interface?
Thanks
Unexpected results to say the least.
Here's without the exception
Hosted by AT&T (Austin, TX) [14.89 km]: 2.867 ms
Testing download speed........................................
Download: 859.46 Mbit/s
Testing upload speed..................................................
Upload: 102.16 Mbit/s
And here's with the exception
Hosted by AT&T (Austin, TX) [14.89 km]: 2.825 ms
Testing download speed........................................
Download: 878.05 Mbit/s
Testing upload speed..................................................
Upload: 112.55 Mbit/s
I ran them both a few times and they were all within the margin of error.
Now here's from the site directly using the same AT&T server that the script selected.
With exception
http://www.speedtest.net/my-result/5411309219
Without exception
Hi,
Download a file and capture ips.log. Post it here.
Thanks
Downloading files from techpowerup and filehippo didn't really give me much output aside from the top line you see here (i've trimmed away some of the duplicates).
When i ran a speedtest it caused all the output in the bottom half. This was all with the exception turned off of course. I trimmed away some of the excess but it all looked like this. The long string of pruned sessions started the instant I started the test.
2016:06:17-09:54:14 sophosutm ulogd[4640]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="90:3e:ab:f9:80:d0" dstmac="00:1b:21:a8:b0:33" srcip="74.125.3.90" dstip="162.202.206.67" proto="17" length="1378" tos="0x00" prec="0x00" ttl="54" srcport="443" dstport="64679"
2016:06:17-10:24:16 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1051044 bytes (client queue). 162.202.206.67 34838 --> 173.44.34.18 80 (0) : LWstate 0x9 LWFlags 0x6007
2016:06:17-10:25:18 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1069576 bytes (client queue). 162.202.206.67 50753 --> 162.248.77.131 80 (0) : LWstate 0x9 LWFlags 0x6007
2016:06:17-10:27:15 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1049144 bytes (client queue). 162.202.206.67 50898 --> 162.248.77.131 80 (0) : LWstate 0x9 LWFlags 0x4e007
2016:06:17-10:27:27 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1049080 bytes (client queue). 192.168.10.100 5692 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x6007
2016:06:17-10:27:27 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1048640 bytes (client queue). 192.168.10.100 5693 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:27 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1054280 bytes (client queue). 192.168.10.100 5691 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:28 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1052720 bytes (client queue). 192.168.10.100 5694 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1049980 bytes (client queue). 192.168.10.100 5695 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned session from cache that was using 1079744 bytes (memcap/check). 162.202.206.67 50898 --> 162.248.77.131 80 (0) : LWstate 0x9 LWFlags 0xe007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 4 sessions from cache for memcap. 139 scbs remain. memcap: 7334734/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 4 sessions from cache for memcap. 137 scbs remain. memcap: 8387694/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 132 scbs remain. memcap: 8390705/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 127 scbs remain. memcap: 8393716/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 122 scbs remain. memcap: 8398187/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 117 scbs remain. memcap: 8399738/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 112 scbs remain. memcap: 8404209/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 107 scbs remain. memcap: 8405760/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 102 scbs remain. memcap: 8410231/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 97 scbs remain. memcap: 8411782/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 92 scbs remain. memcap: 8414793/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 87 scbs remain. memcap: 8416344/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 5 sessions from cache for memcap. 82 scbs remain. memcap: 8403826/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 4 sessions from cache for memcap. 78 scbs remain. memcap: 8386245/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 77 scbs remain. memcap: 8386431/8388608
Upon enabling the exception i ran speedtest again and this was the entirety of the output (much less but still on it seems).
This really makes me think disabling LAN to ANY/WAN is still leaving IPS working, it's just not wasting CPU on outbound and therefore not limiting my bandwidth. Does this seem right to you?
Live Log: Intrusion Prevention System
Filter:
Autoscroll
Reload
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 21 scbs remain. memcap: 8296406/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 21 scbs remain. memcap: 8332801/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1049680 bytes (client queue). 192.168.10.100 5697 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 22 scbs remain. memcap: 8119130/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 23 scbs remain. memcap: 8387788/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 3 sessions from cache for memcap. 20 scbs remain. memcap: 8322446/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned session from cache that was using 1063799 bytes (memcap/check). 192.168.10.100 5695 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x6007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 4 sessions from cache for memcap. 17 scbs remain. memcap: 7325894/8388608
2016:06:17-10:27:30 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1051200 bytes (client queue). 192.168.10.100 5700 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:30 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1053840 bytes (client queue). 192.168.10.100 5702 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
Upon enabling the exception i ran speedtest again and this was the entirety of the output (much less but still on it seems).
This really makes me think disabling LAN to ANY/WAN is still leaving IPS working, it's just not wasting CPU on outbound and therefore not limiting my bandwidth. Does this seem right to you?
Live Log: Intrusion Prevention System
Filter:
Autoscroll
Reload
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 21 scbs remain. memcap: 8296406/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 21 scbs remain. memcap: 8332801/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1049680 bytes (client queue). 192.168.10.100 5697 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 22 scbs remain. memcap: 8119130/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 23 scbs remain. memcap: 8387788/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 3 sessions from cache for memcap. 20 scbs remain. memcap: 8322446/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned session from cache that was using 1063799 bytes (memcap/check). 192.168.10.100 5695 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x6007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 4 sessions from cache for memcap. 17 scbs remain. memcap: 7325894/8388608
2016:06:17-10:27:30 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1051200 bytes (client queue). 192.168.10.100 5700 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:30 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1053840 bytes (client queue). 192.168.10.100 5702 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
My system specs by the way
G3258 @ 4.2Ghz
8GB DDR3 1600
Asus H79 Mini-ITX
Intel E1G42ETBLK server card
Good work, Sachin and Chris - I think the devs can put this to good use. It's not the first time that the issue of Session exceeded configured max bytes to queue has appeared here.
Chris, what happens if you do as root cc set ips snortsettings max_queued_bytes 3145728 and then run your tests? After you're done, keep an eye on performance to be sure this doesn't cause a problem, or you might want to just set it back to the default 1048576.
Cheers - Bob
Performance is unchanged but the logs are cleaner.
Without exception (untrucated)
2016:06:17-12:49:41 sophosutm snort[8979]: Max concurrent sessions : 0
2016:06:17-12:49:41 sophosutm snort[8979]: ===============================================================================
2016:06:17-12:49:41 sophosutm snort[8979]: dcerpc2 Preprocessor Statistics
2016:06:17-12:49:41 sophosutm snort[8979]: Total sessions: 0
2016:06:17-12:49:41 sophosutm snort[8979]: ===============================================================================
2016:06:17-12:49:41 sophosutm snort[8979]: ===============================================================================
2016:06:17-12:49:41 sophosutm snort[8979]: SIP Preprocessor Statistics
2016:06:17-12:49:41 sophosutm snort[8979]: Total sessions: 0
2016:06:17-12:49:41 sophosutm snort[8979]: ===============================================================================
2016:06:17-12:49:41 sophosutm snort[8979]: Snort exiting
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 144 scbs remain. memcap: 8400069/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 139 scbs remain. memcap: 8404540/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 134 scbs remain. memcap: 8408275/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 129 scbs remain. memcap: 8422966/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 124 scbs remain. memcap: 8428897/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 119 scbs remain. memcap: 8431908/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 114 scbs remain. memcap: 8456819/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 109 scbs remain. memcap: 8459830/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 104 scbs remain. memcap: 8462841/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 99 scbs remain. memcap: 8470232/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 94 scbs remain. memcap: 8474703/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 89 scbs remain. memcap: 8476254/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 84 scbs remain. memcap: 8489485/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 79 scbs remain. memcap: 8492076/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 74 scbs remain. memcap: 8492022/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 69 scbs remain. memcap: 8492613/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 64 scbs remain. memcap: 8495919/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 59 scbs remain. memcap: 8494845/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 54 scbs remain. memcap: 8501071/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 49 scbs remain. memcap: 8499997/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 44 scbs remain. memcap: 8500383/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 39 scbs remain. memcap: 8502229/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 34 scbs remain. memcap: 8505535/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 29 scbs remain. memcap: 8510009/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 24 scbs remain. memcap: 8498943/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 19 scbs remain. memcap: 8442555/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 14 scbs remain. memcap: 8370779/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 13 scbs remain. memcap: 8365475/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 3 sessions from cache for memcap. 11 scbs remain. memcap: 8370367/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 11 scbs remain. memcap: 7371628/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 20 scbs remain. memcap: 7832237/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 2 sessions from cache for memcap. 20 scbs remain. memcap: 8384375/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 19 scbs remain. memcap: 8371053/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 18 scbs remain. memcap: 8387022/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 17 scbs remain. memcap: 8354538/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 18 scbs remain. memcap: 8353442/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 17 scbs remain. memcap: 8350795/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 16 scbs remain. memcap: 8350977/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 18 scbs remain. memcap: 7813802/8388608
With Exception (untruncated)
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 11 scbs remain. memcap: 7371628/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 20 scbs remain. memcap: 7832237/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 2 sessions from cache for memcap. 20 scbs remain. memcap: 8384375/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 19 scbs remain. memcap: 8371053/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 18 scbs remain. memcap: 8387022/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 17 scbs remain. memcap: 8354538/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 18 scbs remain. memcap: 8353442/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 17 scbs remain. memcap: 8350795/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 16 scbs remain. memcap: 8350977/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 18 scbs remain. memcap: 7813802/8388608
So is my theory correct then that disabling IPS from LAN to ANY is a free performance boost unless you're worried about an infected internal machine starting to attack outwards? For us small office or home users this seems like a no brainer. I even tested this with another box I just built with an N3700 SuperMicro board and i got full gigabit throughput by making this same tweak. Without the tweak it would max out at 165 up and down.
I am unable to reproduce this on our UTM in the Amazon Cloud or in the lab here. Also, this doesn't comport with what I expect or understand about how things work in the UTM.
I don't believe that Speedtest.net from an internal device is a reliable measure. Start by disabling your Exception, logging in at the command line as root and then pasting in the following block all at once on the command line:
cd /home
wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest_cli.py --no-check-certificate
cc set ips status 0
sleep 30s
python speedtest_cli.py
cc set ips status 1
sleep 60s
python speedtest_cli.py
Finally, enable your Exception and run python speedtest_cli.py again. Please show your results
Cheers - Bob
