[Oisf-users] Testers: please test our initial Hyperscan support

Cooper F. Nelson cnelson at ucsd.edu
Mon Apr 11 17:39:20 UTC 2016

Thinking about this some more, I tried running suricata with only a
minimal bpf filter (filtering just a few hosts/networks).  No flow sampling.

Turns out with hyperscan I can now track full HTTP flows on the same
hardware; as hyperscan uses less CPU time than the complex bpf filter:

>     12.33%  libhs.so.4.1.0      [.] fdr_exec_x86_64_s1_w128
>     10.67%  [kernel]            [k] acpi_processor_ffh_cstate_enter
>      6.51%  libhs.so.4.1.0      [.] nfaExecMcClellan16_B
>      4.75%  [kernel]            [k] __bpf_prog_run
>      4.06%  libhs.so.4.1.0      [.] fdr_exec_x86_64_s2_w128

I was even able to turn on the web_client and shellcode sigs!  Normally
these are too resource-intensive even with aggressive filtering.


On 4/5/2016 11:41 PM, Viiret, Justin wrote:
> True. And I'm guessing that because the deployment is an IDS with
> filtering to keep the load under control and variable traffic anyway,
> it's hard to gather comparative data about the throughput/packet rate
> actually passing through Suricata.

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160411/a307ada8/attachment-0002.sig>

More information about the Oisf-users mailing list