If I add an exception in IPS rules to not apply IPS from my internal LAN to ANY am I essentially turning off IPS? I'm not concerned with any device at home attempting malicious activity going outbound so I don't see the need to have IPS from LAN to ANY. I noticed with this exception I get my full Gigabit throughput but if I remove the exception I get cut down to 350-400 Mbps.
Hi Chris,
Disable IPS exception and take SSH to UTM and login as root. Run "wget --no-check-certificate -O - https://raw.github.com/sivel/speedtest-cli/master/speedtest_cli.py | python". Verify what bandwidth is received on the UTM's interface?
Thanks
Unexpected results to say the least.
Here's without the exception
Hosted by AT&T (Austin, TX) [14.89 km]: 2.867 ms
Testing download speed........................................
Download: 859.46 Mbit/s
Testing upload speed..................................................
Upload: 102.16 Mbit/s
And here's with the exception
Hosted by AT&T (Austin, TX) [14.89 km]: 2.825 ms
Testing download speed........................................
Download: 878.05 Mbit/s
Testing upload speed..................................................
Upload: 112.55 Mbit/s
I ran them both a few times and they were all within the margin of error.
Now here's from the site directly using the same AT&T server that the script selected.
With exception
http://www.speedtest.net/my-result/5411309219
Without exception
Upon enabling the exception i ran speedtest again and this was the entirety of the output (much less but still on it seems).
This really makes me think disabling LAN to ANY/WAN is still leaving IPS working, it's just not wasting CPU on outbound and therefore not limiting my bandwidth. Does this seem right to you?
Live Log: Intrusion Prevention System
Filter:
Autoscroll
Reload
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 21 scbs remain. memcap: 8296406/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 21 scbs remain. memcap: 8332801/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1049680 bytes (client queue). 192.168.10.100 5697 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 22 scbs remain. memcap: 8119130/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 1 sessions from cache for memcap. 23 scbs remain. memcap: 8387788/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 3 sessions from cache for memcap. 20 scbs remain. memcap: 8322446/8388608
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned session from cache that was using 1063799 bytes (memcap/check). 192.168.10.100 5695 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x6007
2016:06:17-10:27:29 sophosutm snort[4862]: S5: Pruned 4 sessions from cache for memcap. 17 scbs remain. memcap: 7325894/8388608
2016:06:17-10:27:30 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1051200 bytes (client queue). 192.168.10.100 5700 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
2016:06:17-10:27:30 sophosutm snort[4862]: S5: Session exceeded configured max bytes to queue 1048576 using 1053840 bytes (client queue). 192.168.10.100 5702 --> 99.24.18.5 8080 (0) : LWstate 0x9 LWFlags 0x406007
My system specs by the way
G3258 @ 4.2Ghz
8GB DDR3 1600
Asus H79 Mini-ITX
Intel E1G42ETBLK server card
Good work, Sachin and Chris - I think the devs can put this to good use. It's not the first time that the issue of Session exceeded configured max bytes to queue has appeared here.
Chris, what happens if you do as root cc set ips snortsettings max_queued_bytes 3145728 and then run your tests? After you're done, keep an eye on performance to be sure this doesn't cause a problem, or you might want to just set it back to the default 1048576.
Cheers - Bob
Performance is unchanged but the logs are cleaner.
Without exception (untrucated)
2016:06:17-12:49:41 sophosutm snort[8979]: Max concurrent sessions : 0
2016:06:17-12:49:41 sophosutm snort[8979]: ===============================================================================
2016:06:17-12:49:41 sophosutm snort[8979]: dcerpc2 Preprocessor Statistics
2016:06:17-12:49:41 sophosutm snort[8979]: Total sessions: 0
2016:06:17-12:49:41 sophosutm snort[8979]: ===============================================================================
2016:06:17-12:49:41 sophosutm snort[8979]: ===============================================================================
2016:06:17-12:49:41 sophosutm snort[8979]: SIP Preprocessor Statistics
2016:06:17-12:49:41 sophosutm snort[8979]: Total sessions: 0
2016:06:17-12:49:41 sophosutm snort[8979]: ===============================================================================
2016:06:17-12:49:41 sophosutm snort[8979]: Snort exiting
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 144 scbs remain. memcap: 8400069/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 139 scbs remain. memcap: 8404540/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 134 scbs remain. memcap: 8408275/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 129 scbs remain. memcap: 8422966/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 124 scbs remain. memcap: 8428897/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 119 scbs remain. memcap: 8431908/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 114 scbs remain. memcap: 8456819/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 109 scbs remain. memcap: 8459830/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 104 scbs remain. memcap: 8462841/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 99 scbs remain. memcap: 8470232/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 94 scbs remain. memcap: 8474703/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 89 scbs remain. memcap: 8476254/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 84 scbs remain. memcap: 8489485/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 79 scbs remain. memcap: 8492076/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 74 scbs remain. memcap: 8492022/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 69 scbs remain. memcap: 8492613/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 64 scbs remain. memcap: 8495919/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 59 scbs remain. memcap: 8494845/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 54 scbs remain. memcap: 8501071/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 49 scbs remain. memcap: 8499997/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 44 scbs remain. memcap: 8500383/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 39 scbs remain. memcap: 8502229/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 34 scbs remain. memcap: 8505535/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 29 scbs remain. memcap: 8510009/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 24 scbs remain. memcap: 8498943/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 19 scbs remain. memcap: 8442555/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 5 sessions from cache for memcap. 14 scbs remain. memcap: 8370779/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 13 scbs remain. memcap: 8365475/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 3 sessions from cache for memcap. 11 scbs remain. memcap: 8370367/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 11 scbs remain. memcap: 7371628/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 20 scbs remain. memcap: 7832237/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 2 sessions from cache for memcap. 20 scbs remain. memcap: 8384375/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 19 scbs remain. memcap: 8371053/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 18 scbs remain. memcap: 8387022/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 17 scbs remain. memcap: 8354538/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 18 scbs remain. memcap: 8353442/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 17 scbs remain. memcap: 8350795/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 16 scbs remain. memcap: 8350977/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 18 scbs remain. memcap: 7813802/8388608
With Exception (untruncated)
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 11 scbs remain. memcap: 7371628/8388608
2016:06:17-12:50:27 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 20 scbs remain. memcap: 7832237/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 2 sessions from cache for memcap. 20 scbs remain. memcap: 8384375/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 19 scbs remain. memcap: 8371053/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 18 scbs remain. memcap: 8387022/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 17 scbs remain. memcap: 8354538/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 18 scbs remain. memcap: 8353442/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 17 scbs remain. memcap: 8350795/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 16 scbs remain. memcap: 8350977/8388608
2016:06:17-12:50:28 sophosutm snort[8988]: S5: Pruned 1 sessions from cache for memcap. 18 scbs remain. memcap: 7813802/8388608
So is my theory correct then that disabling IPS from LAN to ANY is a free performance boost unless you're worried about an infected internal machine starting to attack outwards? For us small office or home users this seems like a no brainer. I even tested this with another box I just built with an N3700 SuperMicro board and i got full gigabit throughput by making this same tweak. Without the tweak it would max out at 165 up and down.
I am unable to reproduce this on our UTM in the Amazon Cloud or in the lab here. Also, this doesn't comport with what I expect or understand about how things work in the UTM.
I don't believe that Speedtest.net from an internal device is a reliable measure. Start by disabling your Exception, logging in at the command line as root and then pasting in the following block all at once on the command line:
cd /home
wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest_cli.py --no-check-certificate
cc set ips status 0
sleep 30s
python speedtest_cli.py
cc set ips status 1
sleep 60s
python speedtest_cli.py
Finally, enable your Exception and run python speedtest_cli.py again. Please show your results
Cheers - Bob
Hi,
From the logs, it shows you have DoS configured for UDP as UDP flood is detected from Google's IP address.Fine tune it to compliment you network architecture and flow of traffic.
2016:06:17-09:54:14 sophosutm ulogd[4640]: id="2105" severity="info" sys="SecureNet" sub="ips" name="UDP flood detected" action="UDP flood" fwrule="60013" initf="eth1" srcmac="90:3e:ab:f9:80:d0" dstmac="00:1b:21:a8:b0:33" srcip="74.125.3.90" dstip="162.202.206.67" proto="17" length="1378" tos="0x00" prec="0x00" ttl="54" srcport="443" dstport="64679"
Next, take SSH to UTM and login as root. Run " cc set ips queue_length 8192". Check the pruned session logs and the bandwidth.
Thanks
Thanks Sachin.
I actually referenced this ticket here regarding setting an exception up for Google's UDP traffic.
https://community.sophos.com/products/unified-threat-management/f/54/t/41626
After setting the queue length to 8192 the pruning is gone.
However my original question remains still, why does adding an exception in IPS for just LAN to ANY totally remove the performance penalty of IPS? I want to make sure I'm not crippling IPS or making it useless by doing this, but otherwise it seems like a great and easy tweak.
Hi,
Increasing memcaps can trigger kernel drops as more packets will be scanned through the engine but in those instances we tweak the num_instance to 2. System memory is quite free so increasing the value for memcaps will not effect anything but, I am not sure if the value is suitable on UTM with 2GB!! I need a dev attention here.
Thanks
