[Oisf-users] IPS mode performance is very poor, why?

Hariharan Thantry thantry at gmail.com
Fri Mar 2 17:13:30 UTC 2012

Hi Eric,

Bridge mode performance is line rate or very nearly so. I have 2 10G
dual ported-ethernet cards on 2 PCI-Express x8 link, and the
forwarding performance is near line rate (20Gbps). No problem with the
bridge module, itself. Like tingwei, I suspect the NFQUEUE
library/kernel implementation as well...


On Fri, Mar 2, 2012 at 1:34 AM, Eric Leblond <eric at regit.org> wrote:
> Hello,
> Le jeudi 01 mars 2012 à 17:11 +0800, tingwei liu a écrit :
>> On Wed, Feb 29, 2012 at 6:57 PM, tingwei liu <tingw.liu at gmail.com>
>> wrote:
>>         I have installed suricata-1.2.1 with enable nfqueue on fedora
>>         15 system.
>>         #>iptables -I FORWARD -j NFQUEUE --queue-num 3
>>         #>suricata -c /etc/suricata/suricata.yaml -q 3 -D
>>         Only emergency-ftp.rules loaded.
>>         It works, but performance is very poor.
>>         I test it by transfer files from ftp server.
>>         Before running last two commands, the bandwidth is 100Mbps;
>>         After nfqueue and suricata running, the bandwidth only 1Mbps.
>>         Who can tell me which parameters should be changed ?
>>         Thanks!
>> I have test some parameters. I find the key is network topology.
>> If suricata run a linux server with bridge mode, it's performance is
>> poor.
>> If suricata run a linux server which is a gataway, it's good.
>> Why?
> First point:  what is the performance of bridge mode without IPS ?
> Second point: That's really strange. I've never heard about such issue
> related to NFQ. I see one potential thing: the routing in gateway mode
> is IP level and the routing in bridge mode is ethernet level.
> Maybe there is an issue with the rerouting done at the time of the
> verdict in gateway mode. This issue could be checked by fixing the arp
> entry of the computers used for testing.
> BR,
> --
> Eric Leblond <eric at regit.org>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

More information about the Oisf-users mailing list