Suricata with NFQUEUE as IPS - Slow network

ben · June 15, 2021, 8:39am

Hi everyone,

I have an inline IPS installation of suricata v4.1.10 on Centos 7 with NFQUEUE on a virtual Cloud environment.

The installation work fine but my network bandwith is divided by around 3 when activating inline IPS.

Is that normal ? I don’t expect to have full bandwith capacity with IPS but this is a huge difference (from 300 MBps to less than 100 MBps) ? I tried the tuning instructions provided by documentation but it did not helped.

Have you an idea of specific tuning to increase bandwith ?

Thanks for your help,

Ben

filippocarletti · June 15, 2021, 2:49pm

Pretty much the same figures here, on real hardware, same OS and Suricata version.
Minor improvements using NFQUEUE cpu-fanout on multicore hw, but beware of this bug.
You could also try Suricata v6 (@ish used to build rpms for CentOS 7).

ben · June 16, 2021, 7:32am

Thanks for the answer.

I will check these improvements but I think I have find one of the big reason of the slow down, it seems to be in the rules definition.

Ben

Topic		Replies	Views
Connections dropping out Help	5	1058	October 22, 2020
Af-packet vs nfqueue in IPS mode Help	1	426	May 16, 2023
IPS nfqueue with nftables ingress hook Help ips	3	1062	November 6, 2022
Architecture help Help ips , community , centos	2	1094	November 29, 2020
AF_Packet upload performance problems when running in IPS mode and using a linux bridge interface Help	3	947	March 11, 2021

Suricata with NFQUEUE as IPS - Slow network

Related Topics