[Oisf-users] Tuning Suricata Inline IPS performance

Hariharan Thantry thantry at gmail.com
Tue Nov 22 01:48:54 UTC 2011 

Hi Victor,

I think this is not necessarily because of Suricata itself, but by the use
of iptables/NFQUEUE in a purely bridged environment. (The Suricata IPS does
not have an IP address for the bridge).  I used the very simple NFQUEUE
user space handler
http://www.netfilter.org/projects/libnetfilter_queue/doxygen/nfqnl__test_8c_source.html,
stopped Suricata, and kept the following iptables entry

$ sudo iptables -A FORWARD -j NFQUEUE --queue-num 0

and used the above program (which just puts the packet back out) on my
bridge machine, and observed the same throughput speeds (~ 400 Kbps) using
iperf. (Only a single connection activated)

Interestingly, when I used ebtables, and its handler (ulog)
http://ebtables.sourceforge.net/examples/basic.html#ex_ulog, with the
ebtables FORWARD chain I observed near line rate speeds (> 9Gbps)

$sudo ebtables -A FORWARD --ulog-nlgroup 1

The major difference that I can see between the two handlers, is that in
the case of NFQUEUE, the whole packet payload is actually copied into user
space, while for the test_ulog it isn't. I tried with the NFQNL_COPY_META
as well, and the speeds for that was ~ 2Mbps.

I know this isn't an iptables/ebtables forum, but wondering if anyone can
throw some light on this? I read this document here:
http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html, and this figure
here http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png seems to
suggest that the bridged packets do indeed go through the iptables filter
table FORWARD chain...., so clearly, there is something that I don't have a
handle on. My CPU utilization is pretty low ( ~ 8%), so that clearly isn't
the issue here....

Thanks,
Hari



On Mon, Nov 21, 2011 at 10:37 AM, Victor Julien <victor at inliniac.net> wrote:

> On 11/21/2011 09:00 AM, Hariharan Thantry wrote:
> > When I turn on Suricata (latest 1.1 release version), with the defaults,
> > the speeds range between 350kbps-1Mbps (using emerging threats ruleset).
>
> Those numbers are way to low. I run a 8k ruleset in nfq mode on an Atom
> N270 and it easily keeps up with 12mbit (which is my internet
> connection). So on that hardware you should see much better speeds.
>
> Do you see one of the threads hit 100% all the time?
>
> How many rules are you using? And are you using the specific Suricata ET
> version?
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20111121/4745bdb9/attachment-0002.html>

More information about the Oisf-users mailing list