[Oisf-users] Testers: please test our initial Hyperscan support

Peter Manev petermanev at gmail.com
Fri May 13 13:34:24 UTC 2016

On Mon, Apr 11, 2016 at 8:39 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> Thinking about this some more, I tried running suricata with only a
> minimal bpf filter (filtering just a few hosts/networks).  No flow sampling.
> Turns out with hyperscan I can now track full HTTP flows on the same
> hardware; as hyperscan uses less CPU time than the complex bpf filter:
>>     12.33%  libhs.so.4.1.0      [.] fdr_exec_x86_64_s1_w128
>>     10.67%  [kernel]            [k] acpi_processor_ffh_cstate_enter
>>      6.51%  libhs.so.4.1.0      [.] nfaExecMcClellan16_B
>>      4.75%  [kernel]            [k] __bpf_prog_run
>>      4.06%  libhs.so.4.1.0      [.] fdr_exec_x86_64_s2_w128
> I was even able to turn on the web_client and shellcode sigs!  Normally
> these are too resource-intensive even with aggressive filtering.

I am seeing an unconditional perf improvement on all live test setups
when employing hyperscan with detect.profile: high. as compared to

Cooper - still enjoying tracking full HTTP flows on your set up
without challenges?

> -Coop
> On 4/5/2016 11:41 PM, Viiret, Justin wrote:
>> True. And I'm guessing that because the deployment is an IDS with
>> filtering to keep the load under control and variable traffic anyway,
>> it's hard to gather comparative data about the throughput/packet rate
>> actually passing through Suricata.
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

Peter Manev

More information about the Oisf-users mailing list