Posted by Roadrunnere42 on Nov 21, 2016; 10:21am
URL: https://itus.accessinnov.com/Internet-speed-slower-in-bridge-mode-tp1123p1309.html

100mps not bad so it's the rules slowing the shield down, we need to see if the Shield (snort) is using both cpu core when checking rules.

As for the rules that were commented out, these were as Itus had it set in the original sp1.51 release  here is what user8446 said months ago in the forum  about the rules.
Hope this help

Roadrunnere42


emerging-web_specific_apps.rules

these rules are only useful if you're hosting a web server and have ports on your firewall open. If not,
it would be a real waste of time for your Shield to be firing on all these rules that will never make it through your firewall anyway.

Removing this entire set of rules will allow your shield to download the rules faster, boot / reset snort faster, and just run faster in general.

I agree that this rule set is a good one to exclude out-of-the-box. If somebody is running a web server, they would also probably have enough knowledge to enable this specific rule set and configure HTTP_SERVERS / HTTP_PORTS in snort.conf. For the general Shield user, they can forget about it.

--

emerging-scan.rules

As the name implies, this rule set focuses on scanning for open ports and corresponding applications. Again, if you don't run anything that is exposed to the web your firewall will be (should be) completely closed down - nothing is exposed / nothing is open. So, although it's kind of nice to see that your shield is logging all sorts of port scanning that's happening, I agree that there is no real benefit in knowing this (beyond that your shield is working) and it could be a drain on the shield's resources.

Again, I agree that this rule set is a good one to exclude. However, if you like to see this stuff to know that your shield is working (port scanning is happening ALL the time so you'll see it in your logs), then include it and see if it slows down your Shield in any way.

--

drop.rules

I haven't looked closely, but this seems to be just another set of rules based on bad IPs - sort of like a blacklist. The important thing to understand is how a particular blacklist is created and maintained. without knowing this it's hard to say if the rules are useful or not.

--

emerging-trojan.rules

I noticed these rules were missing because of an IPS test I usually do against microsofi.org - a site set up specifically for testing your IPS. DNS and HTTP activity to microsofi.org triggers a trojan detection and is an easy way to check if your shield is running. By excluding this rule set the test obviously doesn't work.


It would be nice to hear from someone regarding why this rule set was commented out / isn't necessary.