[Oisf-users] IPS mode performance is very poor, why?

tingwei liu tingw.liu at gmail.com
Mon Mar 5 00:37:05 UTC 2012 

On Fri, Mar 2, 2012 at 5:34 PM, Eric Leblond <eric at regit.org> wrote:

> Hello,
>
> Le jeudi 01 mars 2012 à 17:11 +0800, tingwei liu a écrit :
> >
> >
> > On Wed, Feb 29, 2012 at 6:57 PM, tingwei liu <tingw.liu at gmail.com>
> > wrote:
> >         I have installed suricata-1.2.1 with enable nfqueue on fedora
> >         15 system.
> >
> >         #>iptables -I FORWARD -j NFQUEUE --queue-num 3
> >         #>suricata -c /etc/suricata/suricata.yaml -q 3 -D
> >         Only emergency-ftp.rules loaded.
> >
> >         It works, but performance is very poor.
> >         I test it by transfer files from ftp server.
> >         Before running last two commands, the bandwidth is 100Mbps;
> >         After nfqueue and suricata running, the bandwidth only 1Mbps.
> >
> >
> >         Who can tell me which parameters should be changed ?
> >         Thanks!
> >
> > I have test some parameters. I find the key is network topology.
> > If suricata run a linux server with bridge mode, it's performance is
> > poor.
> > If suricata run a linux server which is a gataway, it's good.
> > Why?
>
> First point:  what is the performance of bridge mode without IPS ?
>
I mean the bandwidth of forward, in my case ,the bandwidth of birdge mode
with NFQ only 30Mbps, without NFQ almost 100Mbps.

>
> Second point: That's really strange. I've never heard about such issue
> related to NFQ. I see one potential thing: the routing in gateway mode
> is IP level and the routing in bridge mode is ethernet level.
> Maybe there is an issue with the rerouting done at the time of the
> verdict in gateway mode. This issue could be checked by fixing the arp
> entry of the computers used for testing.

I have two kernels 2.6.38 and 3.0.8. The forward bandwidth of 2.6.38 kernel
in bridge mode with NFQ is 100Mbps, but the forward bandwidth of 3.0.8
kernel in bridge mode with NFQ is 30Mbps.
The two kernels run a same box with the same parameters.(Fedora core 15)

Thanks for your reply!

>


> BR,
>
> --
> Eric Leblond <eric at regit.org>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120305/5866445a/attachment-0002.html>

More information about the Oisf-users mailing list