[Oisf-users] IPS mode performance is very poor, why?
Eric Leblond
eric at regit.org
Mon Mar 5 08:49:41 UTC 2012
Hello,
On Mon, 2012-03-05 at 16:05 +0800, tingwei liu wrote:
>
>
> On Mon, Mar 5, 2012 at 3:29 PM, Victor Julien <victor at inliniac.net>
> wrote:
> On 03/05/2012 01:37 AM, tingwei liu wrote:
> >
> >
> > On Fri, Mar 2, 2012 at 5:34 PM, Eric Leblond <eric at regit.org
>
> > <mailto:eric at regit.org>> wrote:
> >
> > Hello,
> >
> > Le jeudi 01 mars 2012 à 17:11 +0800, tingwei liu a
> écrit :
> > >
> > >
> > > On Wed, Feb 29, 2012 at 6:57 PM, tingwei liu
> <tingw.liu at gmail.com
>
> > <mailto:tingw.liu at gmail.com>>
> > > wrote:
> > > I have installed suricata-1.2.1 with enable
> nfqueue on fedora
> > > 15 system.
> > >
> > > #>iptables -I FORWARD -j NFQUEUE --queue-num 3
> > > #>suricata -c /etc/suricata/suricata.yaml -q 3
> -D
> > > Only emergency-ftp.rules loaded.
> > >
> > > It works, but performance is very poor.
> > > I test it by transfer files from ftp server.
> > > Before running last two commands, the
> bandwidth is 100Mbps;
> > > After nfqueue and suricata running, the
> bandwidth only 1Mbps.
> > >
> > >
> > > Who can tell me which parameters should be
> changed ?
> > > Thanks!
> > >
> > > I have test some parameters. I find the key is network
> topology.
> > > If suricata run a linux server with bridge mode, it's
> performance is
> > > poor.
> > > If suricata run a linux server which is a gataway,
> it's good.
> > > Why?
> >
> > First point: what is the performance of bridge mode
> without IPS ?
> >
> > I mean the bandwidth of forward, in my case ,the bandwidth
> of birdge
> > mode with NFQ only 30Mbps, without NFQ almost 100Mbps.
> >
> >
> > Second point: That's really strange. I've never heard
> about such issue
> > related to NFQ. I see one potential thing: the routing
> in gateway mode
> > is IP level and the routing in bridge mode is ethernet
> level.
> > Maybe there is an issue with the rerouting done at the
> time of the
> > verdict in gateway mode. This issue could be checked by
> fixing the arp
> > entry of the computers used for testing.
> >
> > I have two kernels 2.6.38 and 3.0.8. The forward bandwidth
> of 2.6.38
> > kernel in bridge mode with NFQ is 100Mbps, but the forward
> bandwidth of
> > 3.0.8 kernel in bridge mode with NFQ is 30Mbps.
> > The two kernels run a same box with the same
> parameters.(Fedora core 15)
> >
> > Thanks for your reply!
>
>
> I noticed you have the same issue with Snort. It seems to me
> this is an
> issue with the kernel or the kernel/userspace interaction.
>
> In the utils dir here:
> http://git.netfilter.org/cgi-bin/gitweb.cgi?p=libnetfilter_queue.git;a=tree
>
> you'll find a nfqnl_test.c. Can you try that?
>
> Thanks for your reply!
> I build and test it. Also the same issue.
> I have captured packets with wireshark on nfqueue mode. There are many
> packes with TCP DUP ACK.
Can you make a schema with your setup and the associated iptables rules.
I do not manage to reproduce your setup and can't test.
BR,
--
Eric Leblond
Blog: http://home.regit.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120305/b0b17746/attachment.sig>
More information about the Oisf-users
mailing list