Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980...
Transcript of Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980...
![Page 1: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/1.jpg)
Suricon 2019 Suricata Performance Testing
Redux
© 2019 Proofpoint. All rights reserved
Brad Woodberg – Product Manager – Emerging Threats [email protected]
![Page 2: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/2.jpg)
Agenda
• Intro / Recap • Methodology • New Tests, New Results • Battle Royale: Suricata vs. Snort 2 and Snort 3 • Summary
![Page 3: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/3.jpg)
What we learned from last time A very brief recap
© 2019 Proofpoint. All rights reserved
![Page 4: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/4.jpg)
Key Findings from Suricon 2017
• We performed over 23 distinct test scenarios for Suricon 2017, results in appendix (to be included in posted copy)
• Here are a few of the key findings related to performance we learned at the time
![Page 5: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/5.jpg)
1. Suricata Gets better with age!
150
400
550
1070
700
0
200
400
600
800
1000
1200
Mbp
s
Suricata 2.0.9 Suricata 3.0.2 Suricata 3.2.4 Suricata 4.0.1 Suricata 4.0.1 --disable-gccmarch-native
![Page 6: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/6.jpg)
2. Suricata Scales Nicely!
500
770 813
945
1070
850
0
200
400
600
800
1000
1200
MB
PS
1 Send/Receive 2 Send/Receive 4 Send/Receive
8 Send/Receive 16 Send/Receive 32 Send/Receive
And scales nicely as long as you have available cores (16 in this example)
![Page 7: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/7.jpg)
3. Most features have negligible impact on performance
1070 1000 980 980
800
700
900
350
0
200
400
600
800
1000
1200
MB
PS
Baseline Statistics Alert Logging Alert Logging with Packet Data Network Profiling Rolling PCAP FileStore (HTTP) File Logging (All)
• Network Profiling logged all DNS/HTTP/SSL transactions • File Store only matched on select HTTP files, while file logging logged all
files on all protocols
![Page 8: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/8.jpg)
Key Areas of interest from the Community
• What about the latest and greatest versions of Suricata? – Suricata 4.1 and Suricata 5.0 (including new feature perf) – Hyperscan on modern processing
• How do rulesets and signatures impact performance?
• How does Suri differ from Snort with respect to performance?
![Page 9: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/9.jpg)
Test Methodology: Suricon 2019
© 2019 Proofpoint. All rights reserved
![Page 10: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/10.jpg)
Test Methodology Overview: HW
• Traffic Generation Equipment: Ixia PerfectStorm1 Fusion • Dell PowerEdge R730
– 2 x 14-core Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHz • We limit thread count to match generation HW
– 64GB RAM DDR4 2400Mhz – 4 port Intel 1Gbit I350 Interface Card
![Page 11: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/11.jpg)
Test Methodology Overview: SW
• Ubuntu 16.04 • Suricata (various), Snort • AF_Packet Mode • ETPro Signature Pack 10/15/2019 (final tests)
• Latest Snort rules download on 10/15/2019
• Breakingpoint 8.4.0
![Page 12: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/12.jpg)
Test Topology
2x direct connect 1Gbps Interfaces
Out of Band Management
Laptop for Executing Tests
![Page 13: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/13.jpg)
Test Methodology
• Controls: – Same traffic profile – Same HW/OS – Same method to identify breakingpoint – Canary Traffic – Each test we run up to 1Gbps in each direction (max 2Gbps) plus Canary Traffic – Suricata Version, Base Configuration, Signature Set • *Except in specific tests which measure these configurations.
• Steps: – Compile and/or Configure Suricata / Snort based on given test. – Run Ixia Test – Collect Results – Restart Suricata / Snort for next test (fresh process each round.)
![Page 14: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/14.jpg)
Test Traffic Description • Ixia features over 3k Applications/Protocols, including real world apps. Traffic is generated at test setup, and is rich in
content, and also varied.
• Ensures that you are not just replaying the same traffic over and over, while giving tester complete control of crafting the test and measuring the results.
• Protocols / Distribution (in BW) – SSL: 32%
– Skype: 3%
– HTTP Text: 7%
– Pandora 4%
– NTP: .5%
– DNS 2%
– HTTP Video: 11%
– SMTP: 11%
– NetFlix: 11%
– SSH: 2%
– Video Call/Conference: 10%
– HTTP Audio: 4%
– FTP: 2.5%
• Canary Test Traffic – Continuously trigger 2018885 (Windows XP Command.exe Shell Connection) throughout tests (Suricata set to drop) to ensure active
detection.
![Page 15: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/15.jpg)
Traffic Ramp Profile • We use a stair-step approach
to continuously increase the load/session rate of the system. We fully open/transmit data/close sessions.
• Every Second we increase the session setup rate by 65 up to 3 mins
![Page 16: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/16.jpg)
Baseline Suricata Configuration
• Suricata 5.0.0, default compilation
• AF_Packet, 8 traffic threads (4 send / 4 receive)
• Only Eve logging, no pcap, filestore, or debug
• No profiling
• All stock flow settings for Suricata 5.0 – Hyperscan – Rust – Medium Detection Profile
![Page 17: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/17.jpg)
Suricata ETPro Policy
• All ETPro Signatures (10/15/2019) enabled in alert mode – Roughly 48,000 Signatures
• Canary Signature 2018885 set to Drop to ensure that detection is active.
![Page 18: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/18.jpg)
Determining Breakingpoint
• We want to identify the maximum performance at which Suricata is operating at it’s full capacity.
• Ensure the following: – Consistent Performance – No Packet Loss – No Session setup or Application Transaction Failures – Suricata’s detect is not degraded (e.g. repeated canary attack to make sure Suricata is not missing traffic.)
• Once breakingpoint is found (above), we identify the highest performance observed prior to that point. – While Suricata can go much higher, it will have real world impacts. We’re not concerned about absolute
performance numbers, but more around rate of change.
• Run each test 3 times and pick the median performance result
![Page 19: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/19.jpg)
Determining Breakingpoint
• Example Scenarios
• Flow Exceptions • Application
Transaction Failure
• Attacks not blocked
![Page 20: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/20.jpg)
We will publish all test reports!
• I got special permission from Ixia/Breakingpoint this year that we can share the full test results (including the Breakingpoint test configs if you have a Breakingpoint to recreate the traffic).
• Over 3GB of Test Reports in PDF format, everything you ever wanted to know about Suricata Performance Testing and much more! – Including reports from all tests in 2017 and 2019
• Will provide the location after talk and update this presentation for posting with the location.
20 © 2019 Proofpoint. All rights reserved
![Page 21: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/21.jpg)
That was then, this is now New Tests, New Results, New Insights
© 2019 Proofpoint. All rights reserved
![Page 22: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/22.jpg)
What we’re going to look at
Test Name Description Suricata Version Impact
Pick up where we left off by testing Suricata 4.0, 4.1, and 5.0
Hyperscan Impact Retest Hyperscan impact on performance w/Suricata 5.0 Optimized Rules How ETPro optimized rules impact performance Rule Counts and Performance
How the quantity of rules impacts performance
Poorly Written Rules How rules that are poorly written can have a big impact on performance
![Page 23: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/23.jpg)
Contemporary Suricata Performance
1590
1400
1500
1070
0
200
400
600
800
1000
1200
1400
1600
1800
Mbp
s
Suricata 4.0 (HS) Suricata 4.1 (HS) Suricata 5.0 (HS) Suricata 5.0 (AC)
• Note, the slight performance drop from 4.0 to 4.1 is likely due to the shift to Rust being on by default (but very worth the extra security!)
• Hyperscan provides a large performance boost over stock Aho-Corasick!
![Page 24: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/24.jpg)
Optimized Rule Versions and Performance (Suricata 5.0)
1220
1400
1500
0
200
400
600
800
1000
1200
1400
1600
Mbp
s Suricata 2.0 Optimized Suricata 4.0 Optimized Suricata 5.0 Optimized)
Suricata 5.0 optimized ruleset also includes JA3 rules not in Suricata 2 or 4 optimized rulesets
![Page 25: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/25.jpg)
Rule Quantity Impact on Perf
1600 1560
1500 1500
0
200
400
600
800
1000
1200
1400
1600
1800
Mbp
s Suricata 5.0 (No Rules) Suricata 5.0 (10k Rules) Suricata 5.0 (25k Rules) Suricata 5.0 (All ETPro Rules)
![Page 26: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/26.jpg)
Tip your Sig Writers!
• Writing bad signatures can have a bigger impact than the quantity of rules
All Rules, 1500
All Rules + 4 - Urgent 11 Packet Sigs, 1320
All Rules + Unanchored PCRE, 1200
All Rules + No Anchor, 1400
All Rules + Bad Content Match, 1480
0
200
400
600
800
1000
1200
1400
1600
Mbp
s
alert tcp any any -> any any (flags: U+; msg: "OS-VXWORKS - Use of Urgent Flag might indicate potential attempt to exploit an Urgent11 RCE vulnerability"; classtype:attempted-admin; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; reference:url,armis.com/urgent11; rev: 1; sid:1000002;) alert tcp any any -> any any (flags: SUF+; msg: "OS-VXWORKS Illegal use of Urgent pointer - Potential attempt to exploit an Urgent11 RCE vulnerability"; classtype:attempted-admin; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; reference:url,armis.com/urgent11; rev: 1; sid:1000001;) alert ip any any -> any any (ipopts: lsrr; msg: "OS-VXWORKS Use of LSRR option, potential attempt to exploit an Urgent11 RCE vulnerability"; reference:cve,2019-12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev: 1; sid:1000003;) alert ip any any -> any any (ipopts: ssrr; msg: "OS-VXWORKS Use of SSRR option, potential attempt to exploit an Urgent11 RCE vulnerability"; reference:cve,2019-12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev: 1; sid:1000004;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GetFired for Terrible Unanchored PCRE"; pcre:"/\/api\.php\?id=\d{1,2}$/"; classtype:trojan-activity; sid:1; rev:2; )
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GetFired for Terrible PCRE"; pcre:"/\/api\.php\?id=\d{1,2}$/"; classtype:trojan-activity; sid:1; rev:2; ) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“Bad Content Match"; content:"/"; http_uri; pcre:"/\/api\.php\?id=\d{1,2}$/"; classtype:trojan-activity; sid:1; rev:2; )
I have a ton more test results including from new features like Suricata Rule Transforms, File Store, and other bad signature scenarios. Will post the test results with the deck so we can keep this presentation at 30 mins
![Page 27: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/27.jpg)
Battle Royale: Suricata vs. Snort The main event
© 2019 Proofpoint. All rights reserved
![Page 28: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/28.jpg)
What we’re going to look at
Test Name Description Suricata 5.0 Suricata 5.0, All ETPro Rules, AF_Packet Snort 2.9.15 (Single Instance) Snort 2.9.15, AF_Packet
• All ETPro Rules • Talos Community Only Rules • Talos Registered Rules
Snort 3.0 Beta , 1 Thread Snort 3.0 Beta, AF_Packet • Talos Community Only Rules • Talos Registered Rules
Snort 3.0 Beta MultiThread Snort 3.0 Beta, AF_Packet, • Talos Community Only Rules • Talos Registered Rules
![Page 29: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/29.jpg)
Notes on Snort Deployments
• Used all default compilation and configuration options except: • Disabled alert logging (which impacted performance when left on by default) • Ran in AF-Packet Mode • Focused only on compiled rules, did not include Shared Object Rules (but
those are not the same rules as the compiled ones, and adding them would negatively impact performance)
• Snort 3, we do not officially support that for ETPro yet, so only tested with Community and Registered Rules
• Same exact test traffic, same device used for Suri testing
29 © 2019 Proofpoint. All rights reserved
![Page 30: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/30.jpg)
Snort 2.9.15 vs. Suri 5 • Community (3900
sigs) • Registered
– (12195 sigs)
• ETPro All – (48k sigs)
• Suricata 5 – ETPro All – 48k sigs – *Note that Suricata
AF_Packet must have 2 Threads (one per interface). Cannot run AF_Packet in Single Mode
– ** Still Suricata is almost 5x faster than Snort if we factor this in!
30 © 2019 Proofpoint. All rights reserved
550
70 60 45
0
100
200
300
400
500
600
Mbp
s
Suricata 5.0 (48k Rules) Snort 2.9.15 (Community 3900 rules) Snort 2.9.15 Registered 12195 Snort 2.9.15 (ETPro 48k)
![Page 31: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/31.jpg)
Snort 3 Beta
• Community Rules – 3488
• Registered Rules – 12261
• Snort 3 MultiThread – Community Rules
• Suricata 5 – 48k rules
31 © 2019 Proofpoint. All rights reserved
550
150
100
0
100
200
300
400
500
600
Mbp
s
Suricata 5.0 (48k Rules) Snort 3.0 (Community 3488 rules) Snort 3.0 (Registered 12261 Rules) Suricata 3.0 16 Thread Community
Unstable
![Page 32: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/32.jpg)
Just the facts: Suricata vs. Snort
• Snort is ok for <300Mbps deployments, but really shows it’s age, particularly if deployed inline
• Multi-Instance of Snort is not equivalent to Suricata! – Much more complex configuration, requires more expensive hardware, more difficult to operate
and troubleshoot, lots of output logs to monitor. Simply no comparison to Suricata!
• Snort 3: – Has been in alpha / beta for ~5+ years, development started in 2005!* – Lots of dependencies, build process poorly documented – Multi-thread doesn’t appear stable for AFPacket – Performance is lower head to head – Suricata has overtaken Snort on features, stability, release velocity *Source: Marty Roesch, CanSecWest 2008: https://cansecwest.com/csw08/csw08-roesch.pdf
: https://blog.snort.org/2014/12/introducing-snort-30.html
32 © 2019 Proofpoint. All rights reserved
![Page 33: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/33.jpg)
Summary
© 2019 Proofpoint. All rights reserved
![Page 34: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/34.jpg)
In Summary
• Suricata performance is rock solid and scalable even as new features are introduced
• Most features have minimal impact on performance
• Rule performance is very scalable, so long as you have high quality rules
• Suricata dramatically beats Snort in performance and rule scale, Snort 3 does not appear ready for primetime
• Many more tests and scenarios we want to evaluate!
34 © 2019 Proofpoint. All rights reserved
![Page 35: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/35.jpg)
© 2019 Proofpoint. All rights reserved 35
![Page 36: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/36.jpg)
Appendix Including full results from Suricon 2017
© 2019 Proofpoint. All rights reserved
![Page 37: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/37.jpg)
Test Matrix
Test Name Description Suricata Version Perf Comparison
Same Config, test on Suricata 2.0.9, 3.0.2, 3.2.4, and 4.0.1
ETPro Rule Impact 1 Rule, 12,000 Rules, 37,000 Rules Suricata mode performance
AutoFP vs. Workers
Suricata Thread Count Performance
1, 2, 4, 8, 16 send/receive thread performance (so 2, 4, 8, 16, 32 threads total)
Pattern Matching Algorithm
AC, AC-BS, AC-KS, Hyperscan
Detect Engine Profile Low, Med, High, Custom (Documented High Performance) GCC Native Arch On/Off
Note that aside from Suricata version performance test, all other tests are on 4.0.1
![Page 38: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/38.jpg)
Test Matrix continued 2
Test Name Description File Logging Enable File Logging and test impact File Store Enable File Store and test impact Rolling PCAP Enable Packet Capture and test impact Statistics Enable Statistics and test impact Profiling Enable Rule/Packet/Engine profling and test impact Alert Logging Enable Alert Logging with extended fields for DNS/HTTP/SSL/SSH/SMTP/
Packet Logging Network Profile Logging Enable DNS/HTTP/SSL logging and test performance impact
Note that aside from Suricata version performance test, all other tests are on 4.0.1
![Page 39: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/39.jpg)
Test Matrix continued 3
Test Name Description Lua Enable Lua with ET Lua Rules / Scripts and test impact LuaJIT Enable LuaJIT with ET Lua Rules/Scripts and test impact PCRE-JIT Enable PCRE-JIT and test performance Rust Enable rust and separately enable rust experimental parses and test
performance HomeNet Any Set HomeNet to Any and test impact Enable IP Reputation Enable IP Reputation w/ET Intel replist and test performance Bypass Rule Impact Configure a bypass rule to bypass majority of sessions and test impact Pass Rule Impact Configure a pass rule to bypass majority of sessions and test impact Rule Thresholding Enable Rule Threshold and test impact
Note that aside from Suricata version performance test, all other tests are on 4.0.1
![Page 40: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/40.jpg)
Results!
![Page 41: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/41.jpg)
Test Methodology Overview: HW
• Traffic Generation Equipment: Ixia PerfectStorm1 Fusion • Dell PowerEdge R710
– 2x 8-Core Intel(R) Xeon(R) CPU L5520 @ 2.27GHz – 64GB RAM DDR3 1600Mhz – 4 port Broadcom NetExtreme II Gbit Interface Card
![Page 42: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/42.jpg)
Test Methodology Overview: SW
• Ubuntu 15.1 • Suricata 4.0.1 (various versions/configs)
– AF_Packet Mode • ETPro Signature Pack 11/8/2017 (final
tests) • Ixia 7.9 / Breakingpoint 3.5.0
*Note that we do test different versions of Suricata, but this is the base version.
![Page 43: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/43.jpg)
Test Topology
2x direct connect 1Gbps Interfaces
Out of Band Management
Laptop for Executing Tests
![Page 44: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/44.jpg)
Test Methodology
• Controls: – Same traffic profile – Same HW/OS – Same method to identify breakingpoint – Canary Traffic – Each test we run up to 1Gbps in each direction (max 2Gbps) plus Canary Traffic – Suricata Version, Base Configuration, Signature Set • *Except in specific tests which measure these configurations.
• Steps: – Compile and/or Configure Suricata based on given test. – Run Ixia Test – Collect Results – Restart Suricata for next test (fresh process each round.)
![Page 45: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/45.jpg)
Test Traffic Description • Ixia features over 3k Applications/Protocols, including real world apps. Traffic is generated at test setup, and is rich in
content, and also varied.
• Ensures that you are not just replaying the same traffic over and over, while giving tester complete control of crafting the test and measuring the results.
• Protocols / Distribution (in BW) – SSL: 32%
– Skype: 3%
– HTTP Text: 7%
– Pandora 4%
– NTP: .5%
– DNS 2%
– HTTP Video: 11%
– SMTP: 11%
– NetFlix: 11%
– SSH: 2%
– Video Call/Conference: 10%
– HTTP Audio: 4%
– FTP: 2.5%
• Canary Test Traffic – Continuously trigger 2018885 (Windows XP Command.exe Shell Connection) throughout tests (Suricata set to drop) to ensure active
detection.
![Page 46: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/46.jpg)
Baseline Suricata Configuration
• Suricata 4.0.1, default compilation
• AF_Packet, 16 traffic threads (8 send / 8 receive)
• Only fast logging, no pcap, filestore, or debug
• No profiling
• AC pattern matching, detection profile medium
• All stock flow settings
![Page 47: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/47.jpg)
Suricata ETPro Policy
• All ETPro Signatures (11/8/2017) enabled in alert mode except categories: – Policy – Decoder Events
• Roughly 37,000 Signatures
• Canary Signature 2018885 set to Drop to ensure that detection is active.
![Page 48: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/48.jpg)
Suricata Version Performance Comparison
150
400
550
1070
700
0
200
400
600
800
1000
1200
Mbp
s
Suricata 2.0.9 Suricata 3.0.2 Suricata 3.2.4 Suricata 4.0.1 Suricata 4.0.1 --disable-gccmarch-native
![Page 49: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/49.jpg)
Pattern Matching Algorithm Selection
1070
725
1200
1050
1150
0
200
400
600
800
1000
1200
1400
Mbp
s
AC AC-BS AC-KS HS PCRE-JIT
![Page 50: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/50.jpg)
Suricata Thread Count Performance Impact
500
770 813
945
1070
850
0
200
400
600
800
1000
1200
MB
PS
1 Send/Receive 2 Send/Receive 4 Send/Receive
8 Send/Receive 16 Send/Receive 32 Send/Receive
![Page 51: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/51.jpg)
Run Mode AutoFP vs. Workers
1070
575
0
200
400
600
800
1000
1200
MB
PS
AutoFP 16 Threads Workers 16 Threads
![Page 52: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/52.jpg)
Comparing Detect Engine Profiles
900
1070
850 900
0
200
400
600
800
1000
1200
Mbp
s
Low Medium High Custom-High
![Page 53: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/53.jpg)
ETPro RuleSet Size Perf Impact
1200
1050 1070
915
1070
0
200
400
600
800
1000
1200
1400
MB
PS
1 Rule 12k Rules 37k Rules HomeNet ANY Thresholding Enabled
![Page 54: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/54.jpg)
Lua, LuaJIT, IPRep 1070
970
1005
920
940
960
980
1000
1020
1040
1060
1080
Mbp
s
Baseline Lua LuaJIT
![Page 55: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/55.jpg)
Suricata Performance w/Logging/FileExtract/PCAP
1070
350
980
700
550
0
200
400
600
800
1000
1200
Mbp
s
Standard File Logging File Store (HTTP Only) PCAP-AutoFP PCAP-Workers
![Page 56: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/56.jpg)
Stats, Alert Logging, Network Profiling
1070
800
980 980
0
200
400
600
800
1000
1200
MB
PS
Baseline Network Profiling Alert Logging Alert Logging with Packet Data
![Page 57: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging](https://reader033.fdocuments.us/reader033/viewer/2022051912/60028667c6abae0f6440b44c/html5/thumbnails/57.jpg)
Rust!
1070
1010
960
900
920
940
960
980
1000
1020
1040
1060
1080
Mbp
s
Baseline Rust Rust w/Experimental Parsers