Re: What speeds are you getting while IDS / IPS is turned on
Posted by
Grommish on
Sep 12, 2020; 3:09am
URL: https://itus.accessinnov.com/What-speeds-are-you-getting-while-IDS-IPS-is-turned-on-tp2159p2161.html
Without Snort3

With Snort3

Below is the console output..
That being said, it's in no way optimized, and the rules are the straight community ruleset.
root@OpenWrt:/etc/snort# snort -v -c /etc/snort/snort.lua -i eth0:br-lan --daq-d
ir /usr/lib/daq --daq afpacket --daq-var debug --daq-var fanout_type=hash --daq-
var fanout_flag=defrag -A alert_full -D
--------------------------------------------------
o")~ Snort++ 3.0.0-247
--------------------------------------------------
Loading /etc/snort/snort.lua:
ips
dce_http_proxy
wizard
pop
ftp_server
ssl
stream_icmp
ftp_data
dnp3
telnet
latency
dce_udp
imap
classifications
references
binder
appid
ftp_client
smtp
gtp_inspect
port_scan
back_orifice
dce_tcp
ssh
rpc_decode
stream_tcp
normalizer
modbus
http2_inspect
http_inspect
arp_spoof
stream_user
stream_udp
stream_ip
stream_file
stream
dce_http_server
dce_smb
sip
file_id
dns
Finished /etc/snort/snort.lua.
Loading builtin:
Finished builtin.
Loading /etc/snort/snort3-community-rules/snort3-community.rules:
Finished /etc/snort/snort3-community-rules/snort3-community.rules.
--------------------------------------------------
rule counts
total rules loaded: 1300
text rules: 829
builtin rules: 471
option chains: 1300
chain headers: 46
--------------------------------------------------
port rule counts
tcp udp icmp ip
any 534 3 0 0
src 124 3 0 0
dst 539 98 0 0
both 0 1 0 0
total 1197 105 0 0
--------------------------------------------------
flowbits
defined: 20
not checked: 11
not set: 3
--------------------------------------------------
service rule counts - tcp to-srv to-cli
dns: 1 0
ftp: 7 2
ftp-data: 0 8
http: 485 92
imap: 0 8
irc: 4 1
netbios-ssn: 15 1
pop3: 0 8
smtp: 16 0
ssl: 14 31
telnet: 1 0
total: 543 151
--------------------------------------------------
service rule counts - udp to-srv to-cli
dns: 88 2
http: 4 0
total: 92 2
--------------------------------------------------
fast pattern port groups src dst any
packet: 13 24 2
--------------------------------------------------
fast pattern service groups to-srv to-cli
packet: 10 6
key: 1 0
header: 1 4
body: 1 0
file: 2 4
--------------------------------------------------
search engine
instances: 65
patterns: 2719
pattern chars: 49786
num states: 38972
num match states: 2649
memory scale: MB
total memory: 1.04895
pattern memory: 0.151139
match list memory: 0.384735
transition memory: 0.505138
Binder
Wizard
Normalizer config:
ip4.base: on
ip4.df: off
ip4.rf: off
ip4.tos: off
ip4.trim: off
ip4.ttl: on (min=1, new=5)
icmp4: off
icmp6: off
tcp.ecn: off
tcp.block: on
tcp.rsv: on
tcp.pad: on
tcp.req_urg: on
tcp.req_pay: on
tcp.req_urp: on
tcp.urp: on
tcp.opt: on (allow )
tcp.ips: off
tcp.trim_syn: off
tcp.trim_rst: off
tcp.trim_win: off
tcp.trim_mss: off
Stream ICMP config:
Timeout: 30 seconds
Stream TCP Policy config:
Reassembly Policy: bsd
Timeout: 30 seconds
Maximum number of bytes to queue per session: 1048576
Maximum number of segs to queue per session: 2621
Require 3-Way Handshake: NO
Stream user config:
Timeout: 30 seconds
Stream UDP config:
Timeout: 30 seconds
Stream IP config:
Timeout: 30 seconds
Defrag engine config:
engine-based policy: LINUX
Fragment timeout: 30 seconds
Fragment min_ttl: 1
Max frags: 8192
Max overlaps: 0
Min fragment Length: 0
arpspoof configured
back_orifice
DNS
HttpInspect
Http2Inspect
DCE SMB config:
Defragmentation: ENABLED
Max Fragment length: 65535
Policy : WinXP
Reassemble Threshold : 0
SMB fingerprint policy : Disabled
Maximum SMB command chaining: 3
Maximum SMB compounded requests: 3
SMB file inspection: Disabled
SMB valid versions : all
SIP config:
Max number of dialogs in a session: 4 (Default)
Ignore media channel: DISABLED
Max URI length: 256 (Default)
Max Call ID length: 256 (Default)
Max Request name length: 20 (Default)
Max From length: 256 (Default)
Max To length: 256 (Default)
Max Via length: 1024 (Default)
Max Contact length: 256 (Default)
Max Content length: 1024 (Default)
Methods:
invite cancel ack bye register options
rpc_decode
SSH config:
Max Encrypted Packets: 25
Max Server Version String Length: 80
MaxClientBytes: 19600
DCE TCP config:
Defragmentation: ENABLED
Max Fragment length: 65535
Policy : WinXP
Reassemble Threshold : 0
SMTP Config:
Normalize: none
Ignore Data: No
Ignore TLS Data: No
Max Command Line Length: Unlimited
Max Specific Command Line Length: None
Max Header Line Length: Unlimited
Max Auth Command Line Length: 1000
Max Response Line Length: Unlimited
X-Link2State Enabled: Yes
Drop on X-Link2State Alert: No
Alert on commands: None
Base64 Decoding: Enabled
Base64 Decoding Depth: 1464
Quoted-Printable Decoding: Enabled
Quoted-Printable Decoding Depth: 1464
Unix-to-Unix Decoding: Enabled
Unix-to-Unix Decoding Depth: 1464
Non-Encoded MIME attachment Extraction: Enabled
Non-Encoded MIME attachment Extraction Depth: 1464
Log Attachment filename: Enabled
Log MAIL FROM Address: Not Enabled
Log RCPT TO Addresses: Not Enabled
Log Email Headers: Not Enabled
IMAP config:
Base64 Decoding: Enabled
Base64 Decoding Depth: 1460
Quoted-Printable Decoding: Enabled
Quoted-Printable Decoding Depth: 1460
Unix-to-Unix Decoding: Enabled
Unix-to-Unix Decoding Depth: 1460
Non-Encoded MIME attachment Extraction: Enabled
Non-Encoded MIME attachment Extraction Depth: 1460
DCE UDP config:
Defragmentation: ENABLED
Max Fragment length: 65535
TELNET CONFIG:
Are You There Threshold: -1
Normalize: NO
Check for Encrypted Traffic: OFF
Continue to check encrypted data: NO
DNP3 config:
Check CRC: DISABLED
SSL config:
ftp_server:
Check for Telnet Cmds: OFF
Ignore Telnet Cmd Operations: OFF
Ignore open data channels: NO
Check for Encrypted Traffic: OFF
Continue to check encrypted data: NO
POP config:
Base64 Decoding: Enabled
Base64 Decoding Depth: 1460
Quoted-Printable Decoding: Enabled
Quoted-Printable Decoding Depth: 1460
Unix-to-Unix Decoding: Enabled
Unix-to-Unix Decoding Depth: 1460
Non-Encoded MIME attachment Extraction: Enabled
Non-Encoded MIME attachment Extraction Depth: 1460
AppId Configuration
Detector Path: (null)
appStats Logging: disabled
appStats Period: 300 secs
appStats Rollover Size: 20971520 bytes
appStats Rol[ 2509.558321] device br-lan entered promiscuous mode
lover time: 86400 secs
Portscan Detection Config:
Detect Protocols: TCP UDP ICMP IP
Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
Memcap (in bytes): 1048576
Number of Nodes: 6898
--------------------------------------------------
afpacket DAQ configured to passive.
initializing daemon mode
child process is 3621
Commencing packet processing
++ [0] eth0:br-lan
root@OpenWrt:/etc/snort# Version: 1
Header Length: 32
AFPacket Layout:
Frame Size: 1584
Frames: 42360
Block Size: 32768 (Order 3)
Blocks: 2118
Created a ring of type 5 with total size of 69402624
[ 2509.630323] device eth0 entered promiscuous mode
Version: 1
Header Length: 32
AFPacket Layout:
Frame Size: 1584
Frames: 42360
Block Size: 32768 (Order 3)
Blocks: 2118
Created a ring of type 5 with total size of 69402624
...
[ 2618.453677] device br-lan left promiscuous mode
[ 2618.521680] device eth0 left promiscuous mode
-- [0] eth0:br-lan
--------------------------------------------------
Packet Statistics
--------------------------------------------------
daq
received: 2549898
analyzed: 2549890
outstanding: 8
allow: 2549890
idle: 1
rx_bytes: 2848172610
--------------------------------------------------
codec
total: 2549890 (100.000%)
other: 2549890 (100.000%)
eth: 2549890 (100.000%)
--------------------------------------------------
Module Statistics
--------------------------------------------------
detection
analyzed: 2549890
--------------------------------------------------
latency
total_packets: 2549890
total_usecs: 5441171
max_usecs: 2643
--------------------------------------------------
Summary Statistics
--------------------------------------------------
process
signals: 1
--------------------------------------------------
timing
runtime: 00:01:49
seconds: 109.34465
packets: 2549898
pkts/sec: 23393
o")~ Snort exiting
Running Itus Shield v2 Firmware