[Oisf-users] Testers: please test our initial Hyperscan support
Cooper F. Nelson
cnelson at ucsd.edu
Mon Apr 11 17:39:20 UTC 2016
Thinking about this some more, I tried running suricata with only a
minimal bpf filter (filtering just a few hosts/networks). No flow sampling.
Turns out with hyperscan I can now track full HTTP flows on the same
hardware; as hyperscan uses less CPU time than the complex bpf filter:
> 12.33% libhs.so.4.1.0 [.] fdr_exec_x86_64_s1_w128
> 10.67% [kernel] [k] acpi_processor_ffh_cstate_enter
> 6.51% libhs.so.4.1.0 [.] nfaExecMcClellan16_B
> 4.75% [kernel] [k] __bpf_prog_run
> 4.06% libhs.so.4.1.0 [.] fdr_exec_x86_64_s2_w128
I was even able to turn on the web_client and shellcode sigs! Normally
these are too resource-intensive even with aggressive filtering.
-Coop
On 4/5/2016 11:41 PM, Viiret, Justin wrote:
> True. And I'm guessing that because the deployment is an IDS with
> filtering to keep the load under control and variable traffic anyway,
> it's hard to gather comparative data about the throughput/packet rate
> actually passing through Suricata.
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160411/a307ada8/attachment-0002.sig>
More information about the Oisf-users
mailing list