[Oisf-users] Testers: please test our initial Hyperscan support
Peter Manev
petermanev at gmail.com
Fri May 13 13:34:24 UTC 2016
On Mon, Apr 11, 2016 at 8:39 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> Thinking about this some more, I tried running suricata with only a
> minimal bpf filter (filtering just a few hosts/networks). No flow sampling.
>
> Turns out with hyperscan I can now track full HTTP flows on the same
> hardware; as hyperscan uses less CPU time than the complex bpf filter:
>
>> 12.33% libhs.so.4.1.0 [.] fdr_exec_x86_64_s1_w128
>> 10.67% [kernel] [k] acpi_processor_ffh_cstate_enter
>> 6.51% libhs.so.4.1.0 [.] nfaExecMcClellan16_B
>> 4.75% [kernel] [k] __bpf_prog_run
>> 4.06% libhs.so.4.1.0 [.] fdr_exec_x86_64_s2_w128
>
> I was even able to turn on the web_client and shellcode sigs! Normally
> these are too resource-intensive even with aggressive filtering.
I am seeing an unconditional perf improvement on all live test setups
when employing hyperscan with detect.profile: high. as compared to
ac-ks/ac.
Cooper - still enjoying tracking full HTTP flows on your set up
without challenges?
>
> -Coop
>
> On 4/5/2016 11:41 PM, Viiret, Justin wrote:
>> True. And I'm guessing that because the deployment is an IDS with
>> filtering to keep the load under control and variable traffic anyway,
>> it's hard to gather comparative data about the throughput/packet rate
>> actually passing through Suricata.
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list