Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 4221 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention: Malware Attack Patterns: "add extra warnings" results in download speed being cut in half

alan weir

With the "add extra warning" enabled in the malware section of intrusion detection, my internet download speed drops from 120mbps to 60mbps. This is the only setting that results in any speed hit.

 

My system consists of an AMD A6 7400k CPU (2% in use)

8Gb of DDR3 RAM (44% used)

a 120Gb SSD (7% used)

 

I don't see any reason why enabling extra warning would result in such a massive download speed drop. so I have extra warning disabled and the download speed is back up to 120mbps. Does anyone else notice a major speed decrease when any of the extra warnings are enabled?

 

Sophos UTM 9.506-2

Subscriptions:

Base Functionality
Email Protection
Network Protection
Web Protection
Webserver Protection
Wireless Protection
Endpoint AntiVirus



This thread was automatically locked due to age.
  • 0

    It's the nature of the beast, Alan.  Snort is single-threaded, so your speed test only uses a single core.  According to one of the hardware gurus that was here for several years, the AMD processors don't do as well with Snort as Intel CPUs.  Snort is also the most resource-intensive thing on the UTM - multiplying the number of patterns it has to run on each packet is guaranteed to crush performance.  You should only use extra warnings occasionally and then just those related to a problem you suspect.

    cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you for replying Balfson. I've read that the upcoming Snort 3.0 will be multithreaded. It would be nice if Sophos included it in a future version of UTM or even XG. I guess there's no chance of them ever using Suricata. [:D]

Unfiltered HTML