Suricata 7.0.7 af-packet IPS mode slow down internet web browsing

1

Hi,

I am running suricata 7.0.7 in open source firewall IPFire in af-packet IPS mode, when client from IPFire green network browse Internet, it takes more than at least 1 minute to load the web page, or load youtube video. replace suricata 7.0.7 with suricata 6.0.20 and running the same suricata configuration, the issue does not happen. I am wondering if it is some configuration caused suricata 7.0.7 slow down Internet browsing, here is the configuration

[root@fedora BPFire]# cat /tmp/suricata.yaml 
%YAML 1.1
---


vars:
  address-groups:
    include: /var/ipfire/suricata/suricata-homenet.yaml

    include: /var/ipfire/suricata/suricata-dns-servers.yaml

    EXTERNAL_NET: "any"

    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DC_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"

  port-groups:
    include: /var/ipfire/suricata/suricata-http-ports.yaml

    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: 1521
    SSH_PORTS: "[22,222]"
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21

default-rule-path: /var/lib/suricata
rule-files:
    include: /var/ipfire/suricata/suricata-used-rulesfiles.yaml

classification-file: /usr/share/suricata/classification.config
reference-config-file: /usr/share/suricata/reference.config
threshold-file: /usr/share/suricata/threshold.config

default-log-dir: /var/log/suricata/

stats:
  enabled: no
  interval: 8

  decoder-events-prefix: "decoder.event"

outputs:
  - fast:
      enabled: yes
      filename: fast.log
      append: yes

  - stats:
      enabled: no
      filename: stats.log
      append: no       # append to file (yes) or overwrite it (no)
      totals: yes       # stats for all threads merged together
      threads: no       # per thread stats

  - eve-log:
      enabled: no
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json


      pcap-file: false


      community-id: false
      community-id-seed: 0

      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For

      types:
        - alert:

            tagged-packets: yes
        - anomaly:
            enabled: yes
            types:
        - http:
            extended: yes     # enable this for extended logging information
        - dns:





        - tls:
            extended: yes     # enable this for extended logging information
        - files:
            force-magic: no   # force logging magic on all logged files
        - smtp:

        - ftp
        - rdp
        - nfs
        - smb
        - tftp
        - ikev2
        - dcerpc
        - krb5
        - snmp
        - rfb
        - sip
        - dhcp:
            enabled: yes
            extended: no
        - ssh
        - mqtt:
        - stats:
            totals: yes       # stats for all threads merged together
            threads: no       # per thread stats
            deltas: no        # include delta values
        - flow


logging:
  default-log-level: Info

  default-output-filter:

  outputs:
  - console:
      enabled: no
  - file:
      enabled: no
      level: info
      filename: /var/log/suricata/suricata.log
  - syslog:
      enabled: yes
      facility: local5
      format: ""


af-packet:
  - interface: red0 
    threads: auto
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    copy-mode: ips
    copy-iface: green0 
    xdp-mode: soft 
    pinned-maps: true
    pinned-maps-name: flow_table_v4
    xdp-filter-file:  /usr/lib/bpf/xdp_filter.bpf
    bypass: yes
    use-mmap: yes
    ring-size: 200000
    buffer-size: 64535

  - interface: green0 
    threads: auto
    cluster-id: 100
    cluster-type: cluster_flow
    defrag: yes
    copy-mode: ips
    copy-iface: red0 
    xdp-mode: soft 
    pinned-maps: true
    pinned-maps-name: flow_table_v4
    xdp-filter-file:  /usr/lib/bpf/xdp_filter.bpf
    bypass: yes
    use-mmap: yes
    ring-size: 200000
    buffer-size: 64535


app-layer:
  protocols:
    rfb:
      enabled: yes
      detection-ports:
        dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
    mqtt:
      enabled: yes
    krb5:
      enabled: yes
    snmp:
      enabled: yes
    ikev2:
      enabled: yes
    tls:
      enabled: yes
      detection-ports:
        dp: "[443,444,465,853,993,995]"

      ja3-fingerprints: auto

      encryption-handling: bypass
    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
    rdp:
      enabled: yes
    ssh:
      enabled: yes
    http2:
      enabled: no
    smtp:
      enabled: yes
      mime:
        decode-mime: yes

        decode-base64: yes
        decode-quoted-printable: yes

        header-value-depth: 2000

        extract-urls: yes
        body-md5: no
      inspected-tracker:
        content-limit: 100000
        content-inspect-min-size: 32768
        content-inspect-window: 4096
    imap:
      enabled: yes
    msn:
      enabled: yes
    smb:
      enabled: yes
      detection-ports:
        dp: 139, 445
    nfs:
      enabled: yes
    tftp:
      enabled: yes
    dns:
      global-memcap: 32mb
      state-memcap: 512kb


      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53
    http:
      enabled: yes
      memcap: 256mb

      libhtp:
         default-config:
           personality: IDS

           request-body-limit: 0
           response-body-limit: 0

           response-body-decompress-layer-limit: 2

           http-body-inline: auto

           randomize-inspection-sizes: yes
           randomize-inspection-range: 10

           double-decode-path: no
           double-decode-query: no

    modbus:

      enabled: no
      detection-ports:
        dp: 502

      stream-depth: 0

    dnp3:
      enabled: no
      detection-ports:
        dp: 20000

    enip:
      enabled: no
      detection-ports:
        dp: 44818
        sp: 44818

    ntp:
      enabled: yes
    dhcp:
      enabled: yes
    sip:
      enabled: yes

asn1-max-frames: 256






coredump:
  max-dump: unlimited

host-mode: auto

max-pending-packets: 1024

runmode: workers


default-packet-size: 1514

unix-command:
  enabled: no

magic-file: /usr/share/misc/magic.mgc

legacy:
  uricontent: enabled



engine-analysis:
  rules-fast-pattern: yes
  rules: yes

pcre:
  match-limit: 3500
  match-limit-recursion: 1500


host-os-policy:
  windows: [0.0.0.0/0]
  bsd: []
  bsd-right: []
  old-linux: []
  linux: []
  old-solaris: []
  solaris: []
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []


defrag:
  memcap: 64mb
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep (higher than trackers)
  prealloc: yes
  timeout: 60


flow:
  memcap: 256mb
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30
  managers: 1
  recyclers: 1

vlan:
  use-for-tracking: true


flow-timeouts:

  default:
    new: 30
    established: 300
    closed: 0
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
    emergency-bypassed: 50
  tcp:
    new: 60
    established: 600
    closed: 60
    bypassed: 100
    emergency-new: 5
    emergency-established: 100
    emergency-closed: 10
    emergency-bypassed: 50
  udp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
  icmp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50

stream:
  memcap: 256mb
  prealloc-sessions: 4096
  checksum-validation: yes      # reject wrong csums
  midstream: false
  midstream-policy: ignore
  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
  bypass: yes                   # Bypass packets when stream.reassembly.depth is reached.
  reassembly:
    memcap: 256mb
    depth: 1mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    raw: yes
    segment-prealloc: 2048
    check-overlap-different-data: true

host:
  hash-size: 4096
  prealloc: 1000
  memcap: 32mb



decoder:
  teredo:
    enabled: false



detect:
  profile: custom
  custom-values:
    toclient-groups: 200
    toserver-groups: 200
  sgh-mpm-context: auto
  inspection-recursion-limit: 3000

  delayed-detect: yes

  prefilter:
    default: mpm

  grouping:

  profiling:
    grouping:
      dump-to-disk: false
      include-rules: false      # very verbose
      include-mpm-stats: false


mpm-algo: auto


spm-algo: auto

threading:
  set-cpu-affinity: no
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 0 ]  # include only these cpus in affinity settings
    - receive-cpu-set:
        cpu: [ 0 ]  # include only these cpus in affinity settings
    - worker-cpu-set:
        cpu: [ "all" ]
        mode: "exclusive"
        prio:
          low: [ 0 ]
          medium: [ "1-2" ]
          high: [ 3 ]
          default: "medium"
    - verdict-cpu-set:
        cpu: [ 0 ]
        prio:
          default: "high"
  detect-thread-ratio: 1.0