My x86 router is based on Celeron G530.
I have been experimenting with my OpenVPN connection and samba. My school --> home speed can reliably sustain ~320 Mbps, tested with iperf and also just samba (shows sustained >35 MB/s throughput).
However, I realized that if I turn on either of the Intrusion Prevention/Detection, I can no longer sustain that high speed on samba. It first starts at >30 MB/s, then slowly drops to 10 MB/s and hover around it. I checked the CPU usage with htop, when the speed is high my CPU usage goes up to 90%, and it can sustain it no problem when snort is stopped. When snort is running, the speed drops and CPU usage drops to around 30%.
Any idea what could be causing this? It sounds more like a snort related issue.
I have been experimenting with my OpenVPN connection and samba. My school --> home speed can reliably sustain ~320 Mbps, tested with iperf and also just samba (shows sustained >35 MB/s throughput).
However, I realized that if I turn on either of the Intrusion Prevention/Detection, I can no longer sustain that high speed on samba. It first starts at >30 MB/s, then slowly drops to 10 MB/s and hover around it. I checked the CPU usage with htop, when the speed is high my CPU usage goes up to 90%, and it can sustain it no problem when snort is stopped. When snort is running, the speed drops and CPU usage drops to around 30%.
Any idea what could be causing this? It sounds more like a snort related issue.
Share this post:
Responses (2)
-
Accepted Answer
Nick Howitt wrote:
Snort is processor intensive. Firstly, if you're not using the IDS Updates which are subscription only, then the rules are old and won't do a huge amount. Secondly, it is only worth running the snort rules for services you have exposed to the internet so disable all the rule sets you don't need. If you are accessing your system by OpenVPN, then you don't need to leave ssh or webconfig open. You'll need very little open so you probably won't need snort. If you need ssh open, there are other things you can do to make it much more secure. Check the knowledgebase.
What services do you expose to the internet?
Thanks for the idea, at the end I don't think I am too worried about attacks in general, for I have been running my stuff with SOHO routers for years. I do have some stuff needed to be accessible from the internet (Jupyter server for Python). But you are right, if I anyway have VPN then I should probably just close all the ports I don't use (like SSH of my other servers). -
Accepted Answer
Snort is processor intensive. Firstly, if you're not using the IDS Updates which are subscription only, then the rules are old and won't do a huge amount. Secondly, it is only worth running the snort rules for services you have exposed to the internet so disable all the rule sets you don't need. If you are accessing your system by OpenVPN, then you don't need to leave ssh or webconfig open. You'll need very little open so you probably won't need snort. If you need ssh open, there are other things you can do to make it much more secure. Check the knowledgebase.
What services do you expose to the internet?
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »