[Oisf-devel] Going to Open Source and plugins

Thu Sep 18 07:40:54 UTC 2014

17 сент. 2014 г., в 22:41, Peter Manev <petermanev at gmail.com> написал(а):

> On Wed, Sep 17, 2014 at 5:40 PM, Victor Julien <victor at inliniac.net> wrote:
>> Hi Vasily,
>> 
>> On 09/17/2014 12:27 PM, Sartakov A. Vasily wrote:
>>> My name is Vasily Sartakov, I am present «ksys labs» company and we are working on development IDS on top of Suricata and own QorIQ-based platform.
>>> 
>>> We have implemented USDPAA support in Suricata, and, compare to AF_PACKET, our platform provides more then 20% performance. We going to share our sources in Open Source, and my question - are you interested in public sources for this specific hardware platform? i.e. we can push our sources in mainline, or we have to support it self in separated project.
> 
> Very interesting - how did you achieve the 20% difference and what was
> the test condition set up like? (if ok to share that info of course)
> Are there any dependencies (HW, driver/package versions).

I am sorry, I forgot provide the link (http://www.freescale.com/webapp/sps/site/overview.jsp?code=QORIQ_DPAA ). Of course there is no magic here: QorIQ has mechanisms for delivering network packets directly to user-space, and this is a main source for additional performance. Our test framework is based on packet drop counts for two cases: the first one is a cases of burst SYN-FLOOD packages, i.e. small packets without body (and then, we do not check content of packet), the second one is a have packages with maximum body size. 
So, in our experiments there are many «dimensions» (packet size, types of rules, count of rules), and yes, «20%+ performance» it is not an answer, just one of the characteristic for one of the special set tests. 
Btw, i am newbie in IDS Open Source projects, do you have any Open Source events in conferences like FOSDEM where are you meet and discuss? I think we can provide our results and so. 

> 
>> 
>> Interesting, I wasn't aware yet of USDPAA. Is it similar to Intel's
>> DPDK? I think this could be interesting to other users as well, so I'd
>> be interested in having a look.
>> 
>>> The second question is about plugins support. There is functionality in snort that are need for us. We have to control association of MAC and IP provided by rules. As far I understand, that functionality provided via plugin in Snort. Can you advise right approach for obtaining the same functional in Suricata? What is the best place in sources to «hook», or, maybe, there are plugin engine already under construction?
>> 
>> We don't currently have a dynamic plugin API. The various keywords are
>> implemented in a modular way though.
>> 

-- 
Sartakov A. Vasily
sartakov at ksyslabs.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20140918/db9bf4d5/attachment.sig>