What speeds are you getting while IDS / IPS is turned on

Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

What speeds are you getting while IDS / IPS is turned on

CapeTown2015
When I saw Grommish’s reminder to turn on hardware acceleration, because of the impact on throughput, it made me wonder what performance people are getting with IDS / IPS enabled. I remember that I had to enter a rule to exclude deep packet inspection of https traffic from my news server, because back then the Shield was unable to process this much traffic.

Please post what throughput you get with what settings of IDS / IPS (Snort or Suricata) you are using (preferably the command). I can imagine that you actually optimize the settings so that the Shield is able to perform with maximum inspection, while still hitting the maximum bandwidth of your broadband.
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: What speeds are you getting while IDS / IPS is turned on

Grommish
Administrator
When i was messing with snort++(snort3) I was seeing nearly full throughput and was loading a MASSIVE amount of rules..

If you are willing to work with me, we can test Snort++.  I have never worked with IDS/IPS and was working with Snort3 because it was a challenge and Itus was using snort2.x originally.

Suricata I'm also working on, However....  It seems Suricata is completely broken for mips64 (https://forum.suricata.io/t/suricata6-0-0-beta1-on-openwrt-illegal-instruction-error/572/12, so I'm just now pivot'ing back to Snort3.

If you are interested, let me know..  You can find me on Google Hangouts (grommish@gmail.com) or on the Discord I setup (https://discord.gg/mnrmUaa)
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: What speeds are you getting while IDS / IPS is turned on

Grommish
Administrator
Without Snort3



With Snort3



Below is the console output..

That being said, it's in no way optimized, and the rules are the straight community ruleset.

root@OpenWrt:/etc/snort# snort -v -c /etc/snort/snort.lua -i eth0:br-lan --daq-d
ir /usr/lib/daq --daq afpacket --daq-var debug --daq-var fanout_type=hash --daq-
var fanout_flag=defrag -A alert_full -D
--------------------------------------------------
o")~   Snort++ 3.0.0-247
--------------------------------------------------
Loading /etc/snort/snort.lua:
        ips
        dce_http_proxy
        wizard
        pop
        ftp_server
        ssl
        stream_icmp
        ftp_data
        dnp3
        telnet
        latency
        dce_udp
        imap
        classifications
        references
        binder
        appid
        ftp_client
        smtp
        gtp_inspect
        port_scan
        back_orifice
        dce_tcp
        ssh
        rpc_decode
        stream_tcp
        normalizer
        modbus
        http2_inspect
        http_inspect
        arp_spoof
        stream_user
        stream_udp
        stream_ip
        stream_file
        stream
        dce_http_server
        dce_smb
        sip
        file_id
        dns
Finished /etc/snort/snort.lua.
Loading builtin:
Finished builtin.
Loading /etc/snort/snort3-community-rules/snort3-community.rules:
Finished /etc/snort/snort3-community-rules/snort3-community.rules.
--------------------------------------------------
rule counts
       total rules loaded: 1300
               text rules: 829
            builtin rules: 471
            option chains: 1300
            chain headers: 46
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     534       3       0       0
     src     124       3       0       0
     dst     539      98       0       0
    both       0       1       0       0
   total    1197     105       0       0
--------------------------------------------------
flowbits
                  defined: 20
              not checked: 11
                  not set: 3
--------------------------------------------------
service rule counts - tcp    to-srv  to-cli
                      dns:        1       0
                      ftp:        7       2
                 ftp-data:        0       8
                     http:      485      92
                     imap:        0       8
                      irc:        4       1
              netbios-ssn:       15       1
                     pop3:        0       8
                     smtp:       16       0
                      ssl:       14      31
                   telnet:        1       0
                    total:      543     151
--------------------------------------------------
service rule counts - udp    to-srv  to-cli
                      dns:       88       2
                     http:        4       0
                    total:       92       2
--------------------------------------------------
fast pattern port groups        src     dst     any
                   packet:       13      24       2
--------------------------------------------------
fast pattern service groups  to-srv  to-cli
                   packet:       10       6
                      key:        1       0
                   header:        1       4
                     body:        1       0
                     file:        2       4
--------------------------------------------------
search engine
                instances: 65
                 patterns: 2719
            pattern chars: 49786
               num states: 38972
         num match states: 2649
             memory scale: MB
             total memory: 1.04895
           pattern memory: 0.151139
        match list memory: 0.384735
        transition memory: 0.505138
Binder
Wizard
Normalizer config:
    ip4.base: on
      ip4.df: off
      ip4.rf: off
     ip4.tos: off
    ip4.trim: off
     ip4.ttl: on (min=1, new=5)
       icmp4: off
       icmp6: off
     tcp.ecn: off
   tcp.block: on
     tcp.rsv: on
     tcp.pad: on
 tcp.req_urg: on
 tcp.req_pay: on
 tcp.req_urp: on
     tcp.urp: on
     tcp.opt: on (allow )
     tcp.ips: off
tcp.trim_syn: off
tcp.trim_rst: off
tcp.trim_win: off
tcp.trim_mss: off
Stream ICMP config:
    Timeout: 30 seconds
Stream TCP Policy config:
    Reassembly Policy: bsd
    Timeout: 30 seconds
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Require 3-Way Handshake: NO
Stream user config:
    Timeout: 30 seconds
Stream UDP config:
    Timeout: 30 seconds
Stream IP config:
    Timeout: 30 seconds
Defrag engine config:
    engine-based policy: LINUX
    Fragment timeout: 30 seconds
    Fragment min_ttl:   1
    Max frags: 8192
    Max overlaps:     0
    Min fragment Length:     0
arpspoof configured
back_orifice
DNS
HttpInspect
Http2Inspect
DCE SMB config: 
    Defragmentation: ENABLED
    Max Fragment length: 65535
    Policy : WinXP
    Reassemble Threshold : 0
    SMB fingerprint policy : Disabled
    Maximum SMB command chaining: 3
    Maximum SMB compounded requests: 3
    SMB file inspection: Disabled
    SMB valid versions : all
SIP config: 
    Max number of dialogs in a session: 4 (Default) 
    Ignore media channel: DISABLED
    Max URI length: 256 (Default) 
    Max Call ID length: 256 (Default) 
    Max Request name length: 20 (Default) 
    Max From length: 256 (Default) 
    Max To length: 256 (Default) 
    Max Via length: 1024 (Default) 
    Max Contact length: 256 (Default) 
    Max Content length: 1024 (Default) 

    Methods:
          invite cancel ack bye register options
rpc_decode
SSH config: 
    Max Encrypted Packets: 25
    Max Server Version String Length: 80
    MaxClientBytes: 19600

DCE TCP config: 
    Defragmentation: ENABLED
    Max Fragment length: 65535
    Policy : WinXP
    Reassemble Threshold : 0
SMTP Config:
    Normalize: none
    Ignore Data: No
    Ignore TLS Data: No
    Max Command Line Length: Unlimited
    Max Specific Command Line Length: None
    Max Header Line Length: Unlimited
    Max Auth Command Line Length: 1000
    Max Response Line Length: Unlimited
    X-Link2State Enabled: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
    Base64 Decoding: Enabled
    Base64 Decoding Depth: 1464
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: 1464
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: 1464
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: 1464
    Log Attachment filename: Enabled
    Log MAIL FROM Address: Not Enabled
    Log RCPT TO Addresses: Not Enabled
    Log Email Headers: Not Enabled
IMAP config: 
    Base64 Decoding: Enabled
    Base64 Decoding Depth: 1460
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: 1460
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: 1460
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: 1460

DCE UDP config: 
    Defragmentation: ENABLED
    Max Fragment length: 65535
    TELNET CONFIG:
      Are You There Threshold: -1
      Normalize: NO
    Check for Encrypted Traffic: OFF
      Continue to check encrypted data: NO
DNP3 config: 
    Check CRC: DISABLED
SSL config:

ftp_server:
    Check for Telnet Cmds: OFF
    Ignore Telnet Cmd Operations: OFF
    Ignore open data channels: NO
    Check for Encrypted Traffic: OFF
    Continue to check encrypted data: NO
POP config: 
    Base64 Decoding: Enabled
    Base64 Decoding Depth: 1460
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: 1460
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: 1460
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: 1460

AppId Configuration
    Detector Path:          (null)
    appStats Logging:       disabled
    appStats Period:        300 secs
    appStats Rollover Size: 20971520 bytes
    appStats Rol[ 2509.558321] device br-lan entered promiscuous mode
lover time: 86400 secs

Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Memcap (in bytes): 1048576
    Number of Nodes:   6898
--------------------------------------------------
afpacket DAQ configured to passive.
initializing daemon mode
child process is 3621
Commencing packet processing
++ [0] eth0:br-lan
root@OpenWrt:/etc/snort# Version: 1
Header Length: 32
AFPacket Layout:
  Frame Size: 1584
  Frames:     42360
  Block Size: 32768 (Order 3)
  Blocks:     2118
Created a ring of type 5 with total size of 69402624
[ 2509.630323] device eth0 entered promiscuous mode
Version: 1
Header Length: 32
AFPacket Layout:
  Frame Size: 1584
  Frames:     42360
  Block Size: 32768 (Order 3)
  Blocks:     2118
Created a ring of type 5 with total size of 69402624

...

[ 2618.453677] device br-lan left promiscuous mode
[ 2618.521680] device eth0 left promiscuous mode
-- [0] eth0:br-lan
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
                 received: 2549898
                 analyzed: 2549890
              outstanding: 8
                    allow: 2549890
                     idle: 1
                 rx_bytes: 2848172610
--------------------------------------------------
codec
                    total: 2549890      (100.000%)
                    other: 2549890      (100.000%)
                      eth: 2549890      (100.000%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
                 analyzed: 2549890
--------------------------------------------------
latency
            total_packets: 2549890
              total_usecs: 5441171
                max_usecs: 2643
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
                  signals: 1
--------------------------------------------------
timing
                  runtime: 00:01:49
                  seconds: 109.34465
                  packets: 2549898
                 pkts/sec: 23393
o")~   Snort exiting
Running Itus Shield v2 Firmware
Reply | Threaded
Open this post in threaded view
|

Re: What speeds are you getting while IDS / IPS is turned on

Grommish
Administrator
And, just like that, by turning it to Active rather than Passive, I picked up a a bit of through-put



root@OpenWrt:/etc/snort# snort -v -c /etc/snort/snort.lua -i eth0:br-lan --daq-d
ir /usr/lib/daq --daq afpacket --daq-var debug --daq-var fanout_type=hash --daq-
var fanout_flag=defrag -A alert_full --tweaks talos -Q -D
--------------------------------------------------
o")~   Snort++ 3.0.0-247
--------------------------------------------------
Loading /etc/snort/snort.lua:
        ips
        dce_http_proxy
        wizard
        pop
        ftp_server
        ssl
        stream_icmp
        ftp_data
        dnp3
        alerts
        telnet
        latency
        profiler
        dce_udp
        alert_fast
        daq
        classifications
        imap
        references
        binder
        appid
        ftp_client
        smtp
        gtp_inspect
        port_scan
        dce_tcp
        back_orifice
        ssh
        rpc_decode
        normalizer
        stream_tcp
        modbus
        http2_inspect
        http_inspect
        arp_spoof
        stream_user
        stream_udp
        stream_ip
        stream_file
        stream
        dce_http_server
        dce_smb
        sip
        file_id
        dns
Finished /etc/snort/snort.lua.
Loading builtin:
Finished builtin.
Loading /etc/snort/snort3-community-rules/snort3-community.rules:
Finished /etc/snort/snort3-community-rules/snort3-community.rules.
--------------------------------------------------
rule counts
       total rules loaded: 1300
               text rules: 829
            builtin rules: 471
            option chains: 1300
            chain headers: 46
--------------------------------------------------
port rule counts
             tcp     udp    icmp      ip
     any     534       3       0       0
     src     124       3       0       0
     dst     539      98       0       0
    both       0       1       0       0
   total    1197     105       0       0
--------------------------------------------------
flowbits
                  defined: 20
              not checked: 11
                  not set: 3
--------------------------------------------------
service rule counts - tcp    to-srv  to-cli
                      dns:        1       0
                      ftp:        7       2
                 ftp-data:        0       8
                     http:      485      92
                     imap:        0       8
                      irc:        4       1
              netbios-ssn:       15       1
                     pop3:        0       8
                     smtp:       16       0
                      ssl:       14      31
                   telnet:        1       0
                    total:      543     151
--------------------------------------------------
service rule counts - udp    to-srv  to-cli
                      dns:       88       2
                     http:        4       0
                    total:       92       2
--------------------------------------------------
fast pattern port groups        src     dst     any
                   packet:       13      24       2
--------------------------------------------------
fast pattern service groups  to-srv  to-cli
                   packet:       10       6
                      key:        1       0
                   header:        1       4
                     body:        1       0
                     file:        2       4
--------------------------------------------------
search engine
                instances: 65
                 patterns: 2719
            pattern chars: 49786
               num states: 38972
         num match states: 2649
             memory scale: MB
             total memory: 1.04895
           pattern memory: 0.151139
        match list memory: 0.384735
        transition memory: 0.505138
Binder
Wizard
Normalizer config:
    ip4.base: on
      ip4.df: off
      ip4.rf: off
     ip4.tos: off
    ip4.trim: off
     ip4.ttl: on (min=1, new=5)
       icmp4: off
       icmp6: off
     tcp.ecn: off
   tcp.block: on
     tcp.rsv: on
     tcp.pad: on
 tcp.req_urg: on
 tcp.req_pay: on
 tcp.req_urp: on
     tcp.urp: on
     tcp.opt: on (allow )
     tcp.ips: on
tcp.trim_syn: off
tcp.trim_rst: off
tcp.trim_win: off
tcp.trim_mss: off
Stream ICMP config:
    Timeout: 30 seconds
Stream IP config:
    Timeout: 30 seconds
Defrag engine config:
    engine-based policy: LINUX
    Fragment timeout: 30 seconds
    Fragment min_ttl:   1
    Max frags: 8192
    Max overlaps:     0
    Min fragment Length:     0
Stream UDP config:
    Timeout: 30 seconds
Stream user config:
    Timeout: 30 seconds
Stream TCP Policy config:
    Reassembly Policy: bsd
    Timeout: 30 seconds
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Require 3-Way Handshake: NO
back_orifice
arpspoof configured
HttpInspect
DNS
POP config: 
    Base64 Decoding: Enabled
    Base64 Decoding Depth: 1460
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: 1460
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: 1460
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: 1460

SIP config: 
    Max number of dialogs in a session: 4 (Default) 
    Ignore media channel: DISABLED
    Max URI length: 256 (Default) 
    Max Call ID length: 256 (Default) 
    Max Request name length: 20 (Default) 
    Max From length: 256 (Default) 
    Max To length: 256 (Default) 
    Max Via length: 1024 (Default) 
    Max Contact length: 256 (Default) 
    Max Content length: 1024 (Default) 

    Methods:
          invite cancel ack bye register options
DCE SMB config: 
    Defragmentation: ENABLED
    Max Fragment length: 65535
    Policy : WinXP
    Reassemble Threshold : 0
    SMB fingerprint policy : Disabled
    Maximum SMB command chaining: 3
    Maximum SMB compounded requests: 3
    SMB file inspection: Disabled
    SMB valid versions : all
ftp_server:
    Check for Telnet Cmds: OFF
    Ignore Telnet Cmd Operations: OFF
    Ignore open data channels: NO
    Check for Encrypted Traffic: OFF
    Continue to check encrypted data: NO
SSL config:

DNP3 config: 
    Check CRC: DISABLED
    TELNET CONFIG:
      Are You There Threshold: -1
      Normalize: NO
    Check for Encrypted Traffic: OFF
      Continue to check encrypted data: NO
DCE UDP config: 
    Defragmentation: ENABLED
    Max Fragment length: 65535
SMTP Config:
    Normalize: none
    Ignore Data: No
    Ignore TLS Data: No
    Max Command Line Length: Unlimited
    Max Specific Command Line Length: None
    Max Header Line Length: Unlimited
    Max Auth Command Line Length: 1000
    Max Response Line Length: Unlimited
    X-Link2State Enabled: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
    Base64 Decoding: Enabled
    Base64 Decoding Depth: 1464
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: 1464
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: 1464
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: 1464
    Log Attachment filename: Enabled
    Log MAIL FROM Address: Not Enabled
    Log RCPT TO Addresses: Not Enabled
    Log Email Headers: Not Enabled
Http2Inspect
IMAP config: 
    Base64 Decoding: Enabled
    Base64 Decoding Depth: 1460
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: 1460
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: 1460
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: 1460

rpc_decode
SSH config: 
    Max Encrypted Packets: 25
    Max Server Version String Length: 80
    MaxClientBytes: 19600

DCE TCP config: 
    Defragmentation: ENABLED
    Max Fragment length: 65535
    Policy : WinXP
    Reassemble Threshold : 0
AppId Configuration
    Detector Path:          (null)
    appSt[ 3181.127107] device br-lan entered promiscuous mode
ats Logging:       disabled
    appStats Period:        300 secs
    appStats Rollover Size: 20971520 bytes
    appStats Rollover time: 86400 secs

Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
    Memcap (in bytes): 1048576
    Number of Nodes:   6898
--------------------------------------------------
afpacket DAQ configured to inline.
initializing daemon mode
child process is 4051
Commencing packet processing
++ [0] eth0:br-lan
root@OpenWrt:/etc/snort# Version: 1
Header Length: 32
AFPacket Layout:
  Frame Size: 1584
  Frames:     21180
  Block Size: 32768 (Order 3)
  Blocks:     1059
Created a ring of type 5 with total size of 34701312
AFPacket Layout:
  Frame Size: 1584
  Frames:     21180
  Block Size: 32768 (Order 3)
  Blocks:     1059
Created a ring of [ 3181.211105] device eth0 entered promiscuous mode
type 13 with total size of 34701312
Version: 1
Header Length: 32
AFPacket Layout:
  Frame Size: 1584
  Frames:     21180
  Block Size: 32768 (Order 3)
  Blocks:     1059
Created a ring of type 5 with total size of 34701312
AFPacket Layout:
  Frame Size: 1584
  Frames:     21180
  Block Size: 32768 (Order 3)
  Blocks:     1059
Created a ring of type 13 with total size of 34701312
Running Itus Shield v2 Firmware