[Oisf-users] IPS mode performance is very poor, why?
tingwei liu
tingw.liu at gmail.com
Mon Mar 5 08:05:10 UTC 2012
On Mon, Mar 5, 2012 at 3:29 PM, Victor Julien <victor at inliniac.net> wrote:
> On 03/05/2012 01:37 AM, tingwei liu wrote:
> >
> >
> > On Fri, Mar 2, 2012 at 5:34 PM, Eric Leblond <eric at regit.org
> > <mailto:eric at regit.org>> wrote:
> >
> > Hello,
> >
> > Le jeudi 01 mars 2012 à 17:11 +0800, tingwei liu a écrit :
> > >
> > >
> > > On Wed, Feb 29, 2012 at 6:57 PM, tingwei liu <tingw.liu at gmail.com
> > <mailto:tingw.liu at gmail.com>>
> > > wrote:
> > > I have installed suricata-1.2.1 with enable nfqueue on
> fedora
> > > 15 system.
> > >
> > > #>iptables -I FORWARD -j NFQUEUE --queue-num 3
> > > #>suricata -c /etc/suricata/suricata.yaml -q 3 -D
> > > Only emergency-ftp.rules loaded.
> > >
> > > It works, but performance is very poor.
> > > I test it by transfer files from ftp server.
> > > Before running last two commands, the bandwidth is 100Mbps;
> > > After nfqueue and suricata running, the bandwidth only
> 1Mbps.
> > >
> > >
> > > Who can tell me which parameters should be changed ?
> > > Thanks!
> > >
> > > I have test some parameters. I find the key is network topology.
> > > If suricata run a linux server with bridge mode, it's performance
> is
> > > poor.
> > > If suricata run a linux server which is a gataway, it's good.
> > > Why?
> >
> > First point: what is the performance of bridge mode without IPS ?
> >
> > I mean the bandwidth of forward, in my case ,the bandwidth of birdge
> > mode with NFQ only 30Mbps, without NFQ almost 100Mbps.
> >
> >
> > Second point: That's really strange. I've never heard about such
> issue
> > related to NFQ. I see one potential thing: the routing in gateway
> mode
> > is IP level and the routing in bridge mode is ethernet level.
> > Maybe there is an issue with the rerouting done at the time of the
> > verdict in gateway mode. This issue could be checked by fixing the
> arp
> > entry of the computers used for testing.
> >
> > I have two kernels 2.6.38 and 3.0.8. The forward bandwidth of 2.6.38
> > kernel in bridge mode with NFQ is 100Mbps, but the forward bandwidth of
> > 3.0.8 kernel in bridge mode with NFQ is 30Mbps.
> > The two kernels run a same box with the same parameters.(Fedora core 15)
> >
> > Thanks for your reply!
>
> I noticed you have the same issue with Snort. It seems to me this is an
> issue with the kernel or the kernel/userspace interaction.
>
> In the utils dir here:
> http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_queue.git;a=tree
>
> you'll find a nfqnl_test.c. Can you try that?
>
> Thanks for your reply!
I build and test it. Also the same issue.
I have captured packets with wireshark on nfqueue mode. There are many
packes with TCP DUP ACK.
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120305/0a88e93a/attachment-0002.html>
More information about the Oisf-users
mailing list