[Oisf-users] IPS mode performance is very poor, why?
Eric Leblond
eric at regit.org
Fri Mar 2 09:34:46 UTC 2012
Hello,
Le jeudi 01 mars 2012 à 17:11 +0800, tingwei liu a écrit :
>
>
> On Wed, Feb 29, 2012 at 6:57 PM, tingwei liu <tingw.liu at gmail.com>
> wrote:
> I have installed suricata-1.2.1 with enable nfqueue on fedora
> 15 system.
>
> #>iptables -I FORWARD -j NFQUEUE --queue-num 3
> #>suricata -c /etc/suricata/suricata.yaml -q 3 -D
> Only emergency-ftp.rules loaded.
>
> It works, but performance is very poor.
> I test it by transfer files from ftp server.
> Before running last two commands, the bandwidth is 100Mbps;
> After nfqueue and suricata running, the bandwidth only 1Mbps.
>
>
> Who can tell me which parameters should be changed ?
> Thanks!
>
> I have test some parameters. I find the key is network topology.
> If suricata run a linux server with bridge mode, it's performance is
> poor.
> If suricata run a linux server which is a gataway, it's good.
> Why?
First point: what is the performance of bridge mode without IPS ?
Second point: That's really strange. I've never heard about such issue
related to NFQ. I see one potential thing: the routing in gateway mode
is IP level and the routing in bridge mode is ethernet level.
Maybe there is an issue with the rerouting done at the time of the
verdict in gateway mode. This issue could be checked by fixing the arp
entry of the computers used for testing.
BR,
--
Eric Leblond <eric at regit.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120302/f4ceaf43/attachment.sig>
More information about the Oisf-users
mailing list