[Oisf-users] IPS mode performance is very poor, why?
Hariharan Thantry
thantry at gmail.com
Fri Mar 2 17:13:30 UTC 2012
Hi Eric,
Bridge mode performance is line rate or very nearly so. I have 2 10G
dual ported-ethernet cards on 2 PCI-Express x8 link, and the
forwarding performance is near line rate (20Gbps). No problem with the
bridge module, itself. Like tingwei, I suspect the NFQUEUE
library/kernel implementation as well...
Thanks,
Hari
On Fri, Mar 2, 2012 at 1:34 AM, Eric Leblond <eric at regit.org> wrote:
> Hello,
>
> Le jeudi 01 mars 2012 à 17:11 +0800, tingwei liu a écrit :
>>
>>
>> On Wed, Feb 29, 2012 at 6:57 PM, tingwei liu <tingw.liu at gmail.com>
>> wrote:
>> I have installed suricata-1.2.1 with enable nfqueue on fedora
>> 15 system.
>>
>> #>iptables -I FORWARD -j NFQUEUE --queue-num 3
>> #>suricata -c /etc/suricata/suricata.yaml -q 3 -D
>> Only emergency-ftp.rules loaded.
>>
>> It works, but performance is very poor.
>> I test it by transfer files from ftp server.
>> Before running last two commands, the bandwidth is 100Mbps;
>> After nfqueue and suricata running, the bandwidth only 1Mbps.
>>
>>
>> Who can tell me which parameters should be changed ?
>> Thanks!
>>
>> I have test some parameters. I find the key is network topology.
>> If suricata run a linux server with bridge mode, it's performance is
>> poor.
>> If suricata run a linux server which is a gataway, it's good.
>> Why?
>
> First point: what is the performance of bridge mode without IPS ?
>
> Second point: That's really strange. I've never heard about such issue
> related to NFQ. I see one potential thing: the routing in gateway mode
> is IP level and the routing in bridge mode is ethernet level.
> Maybe there is an issue with the rerouting done at the time of the
> verdict in gateway mode. This issue could be checked by fixing the arp
> entry of the computers used for testing.
>
> BR,
>
> --
> Eric Leblond <eric at regit.org>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
More information about the Oisf-users
mailing list