Suricata throttling bandwidth?

Got latest Nethserver running as aVM on a Ubuntuserver using Opennebula.
Acts as DNS/DHCP/Firewall/IPS/IDS/Proxy/router and was working fine with snort .
Some lower bandwidth has to be expected with that setup, but since the switch to suricata it has really turned sour.
I switched off the proxy function, went to connectivity and I only get around 250MBit/s.
Saw some really high spikes in CPU usage (never had them before), dropped in another CPU core (it was running with only one before) but that did not help either.
When I disable suricata comepletely I get around 8,5 GBit/s from host to client, enabling it and trying any of the settings gets me back to the the 250MBit/s.
Really would not mind the 250s if I had Proxy/AV and suricata settings at security level, but for me the settings do not really seem to do anything.

Anybody got a hint ?

1 Like

From my experience:

  1. snort throttles much more than suricata
  2. suricata benefits from more cpus, snort can’t
  3. rules number (connectivity vs security) doesn’t make a big difference

So, your observations are quite different from mine.
The only thing that is always true is that IDS needs a lot of cpu power and it throttles bandwidth at a high bitrate.

I’m using suricata only on physical hardware, performances could be related to virtual hw (only a guess, as I said I do not have experience on virtual machines).

I wrote actual figures from my setup in this forum in the past, you could look at those for reference.
I’d like to support you on troubleshooting your setup out of curiosity, but could you please involve the suricata team, through their mailing list or irc channel?

1 Like

can you give us some details about ram, cpu and disk type? both for guest and host
thank you

moreover… any detail on proxy? rules? filters?

Host is running on this
using Ubuntu 16.10 and has 16GB RAM and around 8 TB on two SATA-600 disks.
Using virtio net drivers for my VMs, 3 all in all including Nethserver, each with two cores and 2 GB RAM assigned at the moment.
Host is only for the VMs and NFS.
Proxy in Nethserver is deactivated (was my first thought causing the trouble) at the moment.
Firewall rules are the standard ones.

As for snort being CPU hungry…can not confirm that.
Had a Debian install on a two core AMD with 4 GB of RAM, 250GB SATA-300 disk, running snort in security and a transparent proxy with quite a lot of strict rules and clam. The thing was not even sweating.
And as mentioned, my Nethserver VM was running snort with just one core, security settings, had also a transparent proxy with AV , only a view rules and I did not notice any difference on my network.
As I said, I can understand that an IDS/IPS will throttle bandwidth, but throttling down to just about 2,5% is absolutely obscene :smiley: Could perfectly live with about 10% .
I am quite sure it has to do something with the settings and I could improve it manually, but I think of Nethserver is doing it via the web-interface.
Maybe few few more options would help for configuration ?

My post here: documents how severely snort affected my system.


so, IIUC, you moved from a physical machine to a VM, and from 4GB of ram to 2GB…

well, it seems to me you are understimating the thing… your server (the old one) had all resources dedicated to its tasks…

now you have a VM (which can not challenge with a real one) running on a host where other VMs are running (and so you forgot to consider I/O disk matter) and powered by an atom CPU… I hope that, at least, NS VM is using a dedicated network interface…

if you really want to make some king of comparison that makes sense, give at least the same ram amount to NS, but IMVHO your hw is not made to run 3 VMs

BTW, how did you manage in getting 8TB of storage with 2 hds?

got a 5 TB and 4 TB drive , makes roughly 8TB usable…

as for the restrains of VM…yes sure, I lose a bit, but I can see that besides some spikes the CPUs are surely not the problem. And The RAM is also not an issue, not running into swap, still got 400 MB to spare.

so you’re using them in stripe… that’s E V I L (if you care about your data)

you’re not using (IIUC) a real hypervisor like ESX or proxmox, and virtual hw could be the culprit

I am not using them in stripe…just to two drives side by side which give me after formating roughly 8TB :smiley:

What do you mean with “real hypervisor”…
ESXi is a castrated Linux and buggy as hell.
And Proxmox is almost the same as Opennebula, except that it has this fancy graphical installation which forces some weird screen resolution one can could not fully see on my DRAC.
Had them both installed, not the performance and reliability I needed.

It could be a problem with the virtio net driver, if Suricata uses some kind of own device driver that can not handle high bandwidth above 1GBit/s.

just tied all settings for reference (connectivity, balanced,advanced expert, off) Nethserver to host:
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)

[ 4] local port 5001 connected with port 52114
[ ID] Interval Transfer Bandwidth
[ 4] 0.0-10.1 sec 260 MBytes 216 Mbits/sec
[ 5] local port 5001 connected with port 52126
[ 5] 0.0-10.1 sec 213 MBytes 177 Mbits/sec
[ 4] local port 5001 connected with port 52138
[ 4] 0.0-10.1 sec 209 MBytes 174 Mbits/sec
[ 5] local port 5001 connected with port 52150
[ 5] 0.0-10.1 sec 8.00 GBytes 6.79 Gbits/sec
[ 4] local port 5001 connected with port 52162
[ 4] 0.0-10.0 sec 10.6 GBytes 9.13 Gbits/sec

never tried expert before, thought it would need expert fiddling with the config and would impact the bandwidth even more, but looks almost like it does nothing at all.
CPU utilization went to roughly 60%, RAM was still roughly 400MB free and no swap used.
No other VM running, only Neth

ok, took a look at your post. Interesting thing now would be what your bandwidth is with suricata.