[Oisf-users] Multi-tenancy, memory requirements, performance?

Alan Amesbury amesbury at oitsec.umn.edu
Fri Mar 24 22:18:19 UTC 2017 

What's the effect of Suricata's multi-tenancy on memory footprint?  We're looking at running with multi-tenancy so we can set HOME_NETS to various values for different VLANs.  So, for example, if I have 25k rules that I want to run with 50 different tenancy configurations, what's the impact on memory use?  I don't know the internal details of Suricata's rule expansion, but it seems to me one way that it might happen is those rules with common variables across different tenancy configurations will have a footprint expand in line with the number of those configurations.  Note that I'm talking about using Suricata in live capture mode; my understanding is VLANs are the only selector available in that mode.

I'm looking specifically at Suricata v3.2.1 with Hyperscan.  I don't have a clear understanding of packet path through Suricata, but would guess that the IP/port logic portion would be done first as that seems like pretty straightforward bitwise math.  If Suricata (Hyperscan?) builds the rulesets in such a way that basic packet logic and payload inspection (e.g., the Hyperscan portion) are decoupled, it seems like memory usage might not increase all that much if Suricata is able to detect functional duplicate rules between differing tenancy configs (same rule, differing values for HOME_NET and such)... but I'm totally shooting in the dark, and that's why I'm hoping to find out more here.  I did look at the source, but source code and I aren't really on speaking terms.  ;-)

Searches of http://suricata.readthedocs.io turned up little on multi-tenancy, and nothing on what impact multi-tenancy has on memory usage.  I did a little Google searching as well, but didn't turn up anything else that looked relevant to multi-tenancy and memory usage.  Anyway, if nothing else, pointers in the right direction would be greatly appreciated.  Thanks in advance for any insights you can provide!


-- 
Alan Amesbury
University Information Security
http://umn.edu/lookup/amesbury

More information about the Oisf-users mailing list