Sophos UTM 9.705-3 Intrusion Prevention

Hello,

I appear to be having some trouble with the Intrusion Prevention on my UTM. When I have Intrusion Prevention enabled, my network speeds are reduced dramatically. For example, my WAN connection; with and without Intrusion Prevention enabled:

Enabled - Download: 98Mbps
Disabled - Download: 206Mbps

I have tried changing various settings within Intrusion Prevention (whilst still having it enabled), but this made no improvement in the network speed. I had a look in the live-log whilst trying a speedtest and I had a large amount of this entry:

S5: Session exceeded configured max bytes to queue 1048576 using 1053000 bytes (client queue).

I tried doing some searches online for this but I can't seem to find anything other than it's nothing to worry about... but I'm pretty sure this is telling me what the problem is? Is it possible to increase the max bytes to queue? I'm currently using only 35% of 8GB RAM on this box.

Cheers,
Richard

Parents
  • I'm having similar issues. I'm constantly having to up the queue_length and max_queue_bytes with all these log errors.  I'm currently at  queue_length 32768 and max_queue_bytes 1000000. 

    Also why is our Snort version so old? it's 2.9.11.2 which is years old on the latest firmware. Can we not get it upgraded to at least the latest 2.9.x version? I mean 3.0 is in beta.

  • Snort 2.9.11.2?  It's very difficult to vet and modify a new version for inclusion in a security product like UTM.  Most every module is several years old.  Instead of attempting to integrate every new version, the existing code is modified when there are new vulnerabilities found - that permits a faster response than bringing in the new version with the vulnerability repaired.

    Your current max_queue_bytes appears to be lower than the OP's.  What do you get with the following?

    cc get ips snortsettings max_queued_bytes

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Seem to be plenty of vulns being fixed if you check the changelog but anyway, not the real problem..

    cc get ips snortsettings max_queued_bytes
    10000000

    What we need to be able to do is modify memcap which seems to be hard set at the value. Is that possible? Or is this command supposed to do that because I don't see it changing.

  • Ahhh, I didn't count the 0s correctly before!   Are you still getting max_queued_bytes warnings?

    What are you seeing relative to memcap?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yeah still getting max_queued_bytes error. Mind you, I've been increasing it gradually since it was at default and I'm yet to find a setting that it's happy at. Not sure where it's going to stop but at this rate, it wont :)  I'm also running two instances of snort as we have 4 cpu's, it didn't like 3 for some reason, maybe the cpu's are just over worked with 3 but these 330's should be fine.

    memcap is always at the limit has not changed its setting. I'm not ram limited so why it's so hard set is beyond me.

Reply
  • Yeah still getting max_queued_bytes error. Mind you, I've been increasing it gradually since it was at default and I'm yet to find a setting that it's happy at. Not sure where it's going to stop but at this rate, it wont :)  I'm also running two instances of snort as we have 4 cpu's, it didn't like 3 for some reason, maybe the cpu's are just over worked with 3 but these 330's should be fine.

    memcap is always at the limit has not changed its setting. I'm not ram limited so why it's so hard set is beyond me.

Children
No Data