This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Prevention (IPS) high cpu usage - Snort

Hello,

in our company we got about 60-80 users. Each department got his own vlan running over one port.

XGS2100 (SFOS 19.0.1 MR-1-Build365)

Over the year i was setting up the sopho xg and adding all Firewall rules, like all department are in one zone and got a any rule to our servers with the specific ports needed. (Each server his own rule) . I think i am about 80-85 rules now for evrything. (Yes i am using zones to group the departments atleast.)

Now most of them got ips and the other stuff activated (AV/WEB/APP/IPS/LOG) but even after using the predefined ips rule (LAN TO WAN and LAN to DMZ) in hope to reduce some stress, the cpu usage is still high.

I readed some does not use all this to lan to dmz? is that good? My thinking is, if user gets infected like over mail, and using thang a exchange vulnerability, i got atleast my sophos with ips and zero day, right?

Usally at in break times, but sometimes also between them. You can always see in the Dignostic Graph a high cpu usage. The whole network get than sloppy and sometimes disconects applications, thats hell for running teams meeting and remote sessions.

Under the command "top" i can see multiple process with snort, which has 99 cpu usage, and i see all cpu most of time at 100.

All pattern should be up to date (intervall set to high). Ips Settings max packages 8 is still there.

Now my questions:

Is our sophos to small? Frankly speaking this got worse some months ago maybe at start of september, but maybe when we got the upgrade from version 18.xx to 19.xx.

Can i optimize the ips profiles?

My problem no matter where i look i cant find a good documentation what all categories means (like misc, scan) sure i can click os-windows, or server and client.

Are "clients" only win 10 ? Or does that mean which direction the attack is happening?

If i look at the lan to wan ips template,firstly you see many entrys like OS-windows, then browser, then windows clients and then all clients?? What does that mean all clients? Why are there entries before for windows/linux if i got entry for all clients? Is there difference or is it for the purpose i use it as template and delete what i dont need?

My biggest problem right now is, that i am missing the tools to investigate further, the reporting would be usefull if you could specifc a time, but no you can always do only days.



This thread was automatically locked due to age.
Parents
  • Snort is not IPS. Snort is the entire DPI Engine. Therefore, if the packet is flowing over the Fastpath, it is also Snort.

    The problem right now is: XGS is a dual Processor appliance. So the view of atop/top could be not the truth. Instead it could be only the X86 CPU. 

    This should be investigated by Support in more detail. 

    __________________________________________________________________________________________________________________

  • Hello, yes i opened the case, they even got senior technican to look through.

    They recommend me to disable all IPS stuf from my lan to lan (Servers) and lan to wan, and only enable it wan to lan.

    We only have one port open right now for our mail server.

    Is this recommended? I always thought IPS should be enabled for any WAN traffic, not just incoming open port to my mail server.

    Instead i should enable the Advance Threat Protection, whats the difference between those two engines? The IPS already sounded likte what i needed, i cant really find anything about the ATP.

    Something else he told me to use in the web exceptoin use \. isntead of . (dot), i will defentiley try this out.

  • Is this recommended?

    No and you should not be statisfied with that answer. Also I would think your firewall is fast enough for your number of users. But of course it depends on specific setup.

    Maybe caused by server backups made over FW rules with IPS enabled and things like this.

    When your machine runs with 100% CPU all the time there is something completely wrong.

    What is shown in diagnostigs > system graphs?

    One example when high traffic is pushed over a XG starting at 16:00:

    from the useless Dashboard Activity monitor:

    and from System Graphs:

    So we can see the backups impacting load from 16:00 on but it does not impact performance.

    The firewall rule that handles the traffic has IPS disabled.

    Check the tls exceptions as mentioned by   wrongly set exceptions it can make things worse.

  • Hello,

    yeah some are quite a bunch of web exceptioen and a bunch inside local tls exlcusion list.

    I started to use the web exception more, since you can name name them there better.

    Most of them are looking like that: ^[A-Za-z0-9.-]*\.sophosxl\.net/

    But thats merely two pages, and i think not much but i wont call it less. Traffic like backup is sheduled at night, and there is ips already off. The only backup job is running evry hour for file about 250 mb, so a very light job. I know how read graphes.

  • We have break at 9:15 and 12:15 you can cleary see thats something happening there, but we also got days it looks like rollercoaster without any low times.

    Like i said i got on most of the rules ips and the web stuff protecion on. On ssl enryption i only enrypt into direction wan. I could unstand if this to much, but really i cant find any confirmation. My next step would be to get bigger hardware to try out if it resolve this.

  • On yearly you can also see there defently a change happening, i mean i updatet there the firmware, and at may april i was mosty done withe the configuration. Maybe added some web exception over time.

Reply Children
No Data