Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980...

57
Suricon 2019 Suricata Performance Testing Redux © 2019 Proofpoint. All rights reserved Brad Woodberg – Product Manager – Emerging Threats [email protected]

Transcript of Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980...

Page 1: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Suricon 2019 Suricata Performance Testing

Redux

© 2019 Proofpoint. All rights reserved

Brad Woodberg – Product Manager – Emerging Threats [email protected]

Page 2: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Agenda

• Intro / Recap • Methodology • New Tests, New Results • Battle Royale: Suricata vs. Snort 2 and Snort 3 • Summary

Page 3: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

What we learned from last time A very brief recap

© 2019 Proofpoint. All rights reserved

Page 4: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Key Findings from Suricon 2017

• We performed over 23 distinct test scenarios for Suricon 2017, results in appendix (to be included in posted copy)

• Here are a few of the key findings related to performance we learned at the time

Page 5: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

1. Suricata Gets better with age!

150

400

550

1070

700

0

200

400

600

800

1000

1200

Mbp

s

Suricata 2.0.9 Suricata 3.0.2 Suricata 3.2.4 Suricata 4.0.1 Suricata 4.0.1 --disable-gccmarch-native

Page 6: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

2. Suricata Scales Nicely!

500

770 813

945

1070

850

0

200

400

600

800

1000

1200

MB

PS

1 Send/Receive 2 Send/Receive 4 Send/Receive

8 Send/Receive 16 Send/Receive 32 Send/Receive

And scales nicely as long as you have available cores (16 in this example)

Page 7: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

3. Most features have negligible impact on performance

1070 1000 980 980

800

700

900

350

0

200

400

600

800

1000

1200

MB

PS

Baseline Statistics Alert Logging Alert Logging with Packet Data Network Profiling Rolling PCAP FileStore (HTTP) File Logging (All)

•  Network Profiling logged all DNS/HTTP/SSL transactions •  File Store only matched on select HTTP files, while file logging logged all

files on all protocols

Page 8: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Key Areas of interest from the Community

• What about the latest and greatest versions of Suricata? – Suricata 4.1 and Suricata 5.0 (including new feature perf) – Hyperscan on modern processing

• How do rulesets and signatures impact performance?

• How does Suri differ from Snort with respect to performance?

Page 9: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Methodology: Suricon 2019

© 2019 Proofpoint. All rights reserved

Page 10: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Methodology Overview: HW

• Traffic Generation Equipment: Ixia PerfectStorm1 Fusion • Dell PowerEdge R730

– 2 x 14-core Intel(R) Xeon(R) CPU E5-2680 v4 @ 2.40GHz • We limit thread count to match generation HW

– 64GB RAM DDR4 2400Mhz – 4 port Intel 1Gbit I350 Interface Card

Page 11: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Methodology Overview: SW

• Ubuntu 16.04 • Suricata (various), Snort • AF_Packet Mode • ETPro Signature Pack 10/15/2019 (final tests)

• Latest Snort rules download on 10/15/2019

• Breakingpoint 8.4.0

Page 12: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Topology

2x direct connect 1Gbps Interfaces

Out of Band Management

Laptop for Executing Tests

Page 13: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Methodology

•  Controls: –  Same traffic profile –  Same HW/OS –  Same method to identify breakingpoint –  Canary Traffic –  Each test we run up to 1Gbps in each direction (max 2Gbps) plus Canary Traffic –  Suricata Version, Base Configuration, Signature Set •  *Except in specific tests which measure these configurations.

•  Steps: –  Compile and/or Configure Suricata / Snort based on given test. –  Run Ixia Test –  Collect Results –  Restart Suricata / Snort for next test (fresh process each round.)

Page 14: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Traffic Description •  Ixia features over 3k Applications/Protocols, including real world apps. Traffic is generated at test setup, and is rich in

content, and also varied.

•  Ensures that you are not just replaying the same traffic over and over, while giving tester complete control of crafting the test and measuring the results.

•  Protocols / Distribution (in BW) –  SSL: 32%

–  Skype: 3%

–  HTTP Text: 7%

–  Pandora 4%

–  NTP: .5%

–  DNS 2%

–  HTTP Video: 11%

–  SMTP: 11%

–  NetFlix: 11%

–  SSH: 2%

–  Video Call/Conference: 10%

–  HTTP Audio: 4%

–  FTP: 2.5%

•  Canary Test Traffic –  Continuously trigger 2018885 (Windows XP Command.exe Shell Connection) throughout tests (Suricata set to drop) to ensure active

detection.

Page 15: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Traffic Ramp Profile •  We use a stair-step approach

to continuously increase the load/session rate of the system. We fully open/transmit data/close sessions.

•  Every Second we increase the session setup rate by 65 up to 3 mins

Page 16: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Baseline Suricata Configuration

•  Suricata 5.0.0, default compilation

•  AF_Packet, 8 traffic threads (4 send / 4 receive)

•  Only Eve logging, no pcap, filestore, or debug

•  No profiling

•  All stock flow settings for Suricata 5.0 –  Hyperscan –  Rust –  Medium Detection Profile

Page 17: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Suricata ETPro Policy

•  All ETPro Signatures (10/15/2019) enabled in alert mode –  Roughly 48,000 Signatures

•  Canary Signature 2018885 set to Drop to ensure that detection is active.

Page 18: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Determining Breakingpoint

•  We want to identify the maximum performance at which Suricata is operating at it’s full capacity.

•  Ensure the following: –  Consistent Performance –  No Packet Loss –  No Session setup or Application Transaction Failures –  Suricata’s detect is not degraded (e.g. repeated canary attack to make sure Suricata is not missing traffic.)

•  Once breakingpoint is found (above), we identify the highest performance observed prior to that point. –  While Suricata can go much higher, it will have real world impacts. We’re not concerned about absolute

performance numbers, but more around rate of change.

•  Run each test 3 times and pick the median performance result

Page 19: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Determining Breakingpoint

•  Example Scenarios

•  Flow Exceptions •  Application

Transaction Failure

•  Attacks not blocked

Page 20: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

We will publish all test reports!

•  I got special permission from Ixia/Breakingpoint this year that we can share the full test results (including the Breakingpoint test configs if you have a Breakingpoint to recreate the traffic).

• Over 3GB of Test Reports in PDF format, everything you ever wanted to know about Suricata Performance Testing and much more! –  Including reports from all tests in 2017 and 2019

• Will provide the location after talk and update this presentation for posting with the location.

20 © 2019 Proofpoint. All rights reserved

Page 21: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

That was then, this is now New Tests, New Results, New Insights

© 2019 Proofpoint. All rights reserved

Page 22: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

What we’re going to look at

Test Name Description Suricata Version Impact

Pick up where we left off by testing Suricata 4.0, 4.1, and 5.0

Hyperscan Impact Retest Hyperscan impact on performance w/Suricata 5.0 Optimized Rules How ETPro optimized rules impact performance Rule Counts and Performance

How the quantity of rules impacts performance

Poorly Written Rules How rules that are poorly written can have a big impact on performance

Page 23: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Contemporary Suricata Performance

1590

1400

1500

1070

0

200

400

600

800

1000

1200

1400

1600

1800

Mbp

s

Suricata 4.0 (HS) Suricata 4.1 (HS) Suricata 5.0 (HS) Suricata 5.0 (AC)

•  Note, the slight performance drop from 4.0 to 4.1 is likely due to the shift to Rust being on by default (but very worth the extra security!)

•  Hyperscan provides a large performance boost over stock Aho-Corasick!

Page 24: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Optimized Rule Versions and Performance (Suricata 5.0)

1220

1400

1500

0

200

400

600

800

1000

1200

1400

1600

Mbp

s Suricata 2.0 Optimized Suricata 4.0 Optimized Suricata 5.0 Optimized)

Suricata 5.0 optimized ruleset also includes JA3 rules not in Suricata 2 or 4 optimized rulesets

Page 25: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Rule Quantity Impact on Perf

1600 1560

1500 1500

0

200

400

600

800

1000

1200

1400

1600

1800

Mbp

s Suricata 5.0 (No Rules) Suricata 5.0 (10k Rules) Suricata 5.0 (25k Rules) Suricata 5.0 (All ETPro Rules)

Page 26: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Tip your Sig Writers!

•  Writing bad signatures can have a bigger impact than the quantity of rules

All Rules, 1500

All Rules + 4 - Urgent 11 Packet Sigs, 1320

All Rules + Unanchored PCRE, 1200

All Rules + No Anchor, 1400

All Rules + Bad Content Match, 1480

0

200

400

600

800

1000

1200

1400

1600

Mbp

s

alert tcp any any -> any any (flags: U+; msg: "OS-VXWORKS - Use of Urgent Flag might indicate potential attempt to exploit an Urgent11 RCE vulnerability"; classtype:attempted-admin; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; reference:url,armis.com/urgent11; rev: 1; sid:1000002;) alert tcp any any -> any any (flags: SUF+; msg: "OS-VXWORKS Illegal use of Urgent pointer - Potential attempt to exploit an Urgent11 RCE vulnerability"; classtype:attempted-admin; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; reference:url,armis.com/urgent11; rev: 1; sid:1000001;) alert ip any any -> any any (ipopts: lsrr; msg: "OS-VXWORKS Use of LSRR option, potential attempt to exploit an Urgent11 RCE vulnerability"; reference:cve,2019-12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev: 1; sid:1000003;) alert ip any any -> any any (ipopts: ssrr; msg: "OS-VXWORKS Use of SSRR option, potential attempt to exploit an Urgent11 RCE vulnerability"; reference:cve,2019-12256; classtype:attempted-admin; reference:url,armis.com/urgent11; rev: 1; sid:1000004;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GetFired for Terrible Unanchored PCRE"; pcre:"/\/api\.php\?id=\d{1,2}$/"; classtype:trojan-activity; sid:1; rev:2; )

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GetFired for Terrible PCRE"; pcre:"/\/api\.php\?id=\d{1,2}$/"; classtype:trojan-activity; sid:1; rev:2; ) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“Bad Content Match"; content:"/"; http_uri; pcre:"/\/api\.php\?id=\d{1,2}$/"; classtype:trojan-activity; sid:1; rev:2; )

I have a ton more test results including from new features like Suricata Rule Transforms, File Store, and other bad signature scenarios. Will post the test results with the deck so we can keep this presentation at 30 mins

Page 27: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Battle Royale: Suricata vs. Snort The main event

© 2019 Proofpoint. All rights reserved

Page 28: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

What we’re going to look at

Test Name Description Suricata 5.0 Suricata 5.0, All ETPro Rules, AF_Packet Snort 2.9.15 (Single Instance) Snort 2.9.15, AF_Packet

•  All ETPro Rules •  Talos Community Only Rules •  Talos Registered Rules

Snort 3.0 Beta , 1 Thread Snort 3.0 Beta, AF_Packet •  Talos Community Only Rules •  Talos Registered Rules

Snort 3.0 Beta MultiThread Snort 3.0 Beta, AF_Packet, •  Talos Community Only Rules •  Talos Registered Rules

Page 29: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Notes on Snort Deployments

• Used all default compilation and configuration options except: • Disabled alert logging (which impacted performance when left on by default) • Ran in AF-Packet Mode •  Focused only on compiled rules, did not include Shared Object Rules (but

those are not the same rules as the compiled ones, and adding them would negatively impact performance)

•  Snort 3, we do not officially support that for ETPro yet, so only tested with Community and Registered Rules

•  Same exact test traffic, same device used for Suri testing

29 © 2019 Proofpoint. All rights reserved

Page 30: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Snort 2.9.15 vs. Suri 5 •  Community (3900

sigs) •  Registered

–  (12195 sigs)

•  ETPro All –  (48k sigs)

•  Suricata 5 –  ETPro All –  48k sigs –  *Note that Suricata

AF_Packet must have 2 Threads (one per interface). Cannot run AF_Packet in Single Mode

–  ** Still Suricata is almost 5x faster than Snort if we factor this in!

30 © 2019 Proofpoint. All rights reserved

550

70 60 45

0

100

200

300

400

500

600

Mbp

s

Suricata 5.0 (48k Rules) Snort 2.9.15 (Community 3900 rules) Snort 2.9.15 Registered 12195 Snort 2.9.15 (ETPro 48k)

Page 31: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Snort 3 Beta

• Community Rules –  3488

• Registered Rules –  12261

•  Snort 3 MultiThread –  Community Rules

•  Suricata 5 –  48k rules

31 © 2019 Proofpoint. All rights reserved

550

150

100

0

100

200

300

400

500

600

Mbp

s

Suricata 5.0 (48k Rules) Snort 3.0 (Community 3488 rules) Snort 3.0 (Registered 12261 Rules) Suricata 3.0 16 Thread Community

Unstable

Page 32: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Just the facts: Suricata vs. Snort

•  Snort is ok for <300Mbps deployments, but really shows it’s age, particularly if deployed inline

•  Multi-Instance of Snort is not equivalent to Suricata! –  Much more complex configuration, requires more expensive hardware, more difficult to operate

and troubleshoot, lots of output logs to monitor. Simply no comparison to Suricata!

•  Snort 3: –  Has been in alpha / beta for ~5+ years, development started in 2005!* –  Lots of dependencies, build process poorly documented –  Multi-thread doesn’t appear stable for AFPacket –  Performance is lower head to head –  Suricata has overtaken Snort on features, stability, release velocity *Source: Marty Roesch, CanSecWest 2008: https://cansecwest.com/csw08/csw08-roesch.pdf

: https://blog.snort.org/2014/12/introducing-snort-30.html

32 © 2019 Proofpoint. All rights reserved

Page 33: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Summary

© 2019 Proofpoint. All rights reserved

Page 34: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

In Summary

•  Suricata performance is rock solid and scalable even as new features are introduced

•  Most features have minimal impact on performance

•  Rule performance is very scalable, so long as you have high quality rules

•  Suricata dramatically beats Snort in performance and rule scale, Snort 3 does not appear ready for primetime

•  Many more tests and scenarios we want to evaluate!

34 © 2019 Proofpoint. All rights reserved

Page 35: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

© 2019 Proofpoint. All rights reserved 35

Page 36: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Appendix Including full results from Suricon 2017

© 2019 Proofpoint. All rights reserved

Page 37: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Matrix

Test Name Description Suricata Version Perf Comparison

Same Config, test on Suricata 2.0.9, 3.0.2, 3.2.4, and 4.0.1

ETPro Rule Impact 1 Rule, 12,000 Rules, 37,000 Rules Suricata mode performance

AutoFP vs. Workers

Suricata Thread Count Performance

1, 2, 4, 8, 16 send/receive thread performance (so 2, 4, 8, 16, 32 threads total)

Pattern Matching Algorithm

AC, AC-BS, AC-KS, Hyperscan

Detect Engine Profile Low, Med, High, Custom (Documented High Performance) GCC Native Arch On/Off

Note that aside from Suricata version performance test, all other tests are on 4.0.1

Page 38: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Matrix continued 2

Test Name Description File Logging Enable File Logging and test impact File Store Enable File Store and test impact Rolling PCAP Enable Packet Capture and test impact Statistics Enable Statistics and test impact Profiling Enable Rule/Packet/Engine profling and test impact Alert Logging Enable Alert Logging with extended fields for DNS/HTTP/SSL/SSH/SMTP/

Packet Logging Network Profile Logging Enable DNS/HTTP/SSL logging and test performance impact

Note that aside from Suricata version performance test, all other tests are on 4.0.1

Page 39: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Matrix continued 3

Test Name Description Lua Enable Lua with ET Lua Rules / Scripts and test impact LuaJIT Enable LuaJIT with ET Lua Rules/Scripts and test impact PCRE-JIT Enable PCRE-JIT and test performance Rust Enable rust and separately enable rust experimental parses and test

performance HomeNet Any Set HomeNet to Any and test impact Enable IP Reputation Enable IP Reputation w/ET Intel replist and test performance Bypass Rule Impact Configure a bypass rule to bypass majority of sessions and test impact Pass Rule Impact Configure a pass rule to bypass majority of sessions and test impact Rule Thresholding Enable Rule Threshold and test impact

Note that aside from Suricata version performance test, all other tests are on 4.0.1

Page 40: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Results!

Page 41: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Methodology Overview: HW

• Traffic Generation Equipment: Ixia PerfectStorm1 Fusion • Dell PowerEdge R710

– 2x 8-Core Intel(R) Xeon(R) CPU L5520 @ 2.27GHz – 64GB RAM DDR3 1600Mhz – 4 port Broadcom NetExtreme II Gbit Interface Card

Page 42: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Methodology Overview: SW

• Ubuntu 15.1 • Suricata 4.0.1 (various versions/configs)

– AF_Packet Mode • ETPro Signature Pack 11/8/2017 (final

tests) •  Ixia 7.9 / Breakingpoint 3.5.0

*Note that we do test different versions of Suricata, but this is the base version.

Page 43: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Topology

2x direct connect 1Gbps Interfaces

Out of Band Management

Laptop for Executing Tests

Page 44: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Methodology

•  Controls: –  Same traffic profile –  Same HW/OS –  Same method to identify breakingpoint –  Canary Traffic –  Each test we run up to 1Gbps in each direction (max 2Gbps) plus Canary Traffic –  Suricata Version, Base Configuration, Signature Set •  *Except in specific tests which measure these configurations.

•  Steps: –  Compile and/or Configure Suricata based on given test. –  Run Ixia Test –  Collect Results –  Restart Suricata for next test (fresh process each round.)

Page 45: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Test Traffic Description •  Ixia features over 3k Applications/Protocols, including real world apps. Traffic is generated at test setup, and is rich in

content, and also varied.

•  Ensures that you are not just replaying the same traffic over and over, while giving tester complete control of crafting the test and measuring the results.

•  Protocols / Distribution (in BW) –  SSL: 32%

–  Skype: 3%

–  HTTP Text: 7%

–  Pandora 4%

–  NTP: .5%

–  DNS 2%

–  HTTP Video: 11%

–  SMTP: 11%

–  NetFlix: 11%

–  SSH: 2%

–  Video Call/Conference: 10%

–  HTTP Audio: 4%

–  FTP: 2.5%

•  Canary Test Traffic –  Continuously trigger 2018885 (Windows XP Command.exe Shell Connection) throughout tests (Suricata set to drop) to ensure active

detection.

Page 46: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Baseline Suricata Configuration

•  Suricata 4.0.1, default compilation

•  AF_Packet, 16 traffic threads (8 send / 8 receive)

•  Only fast logging, no pcap, filestore, or debug

•  No profiling

•  AC pattern matching, detection profile medium

•  All stock flow settings

Page 47: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Suricata ETPro Policy

•  All ETPro Signatures (11/8/2017) enabled in alert mode except categories: –  Policy –  Decoder Events

•  Roughly 37,000 Signatures

•  Canary Signature 2018885 set to Drop to ensure that detection is active.

Page 48: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Suricata Version Performance Comparison

150

400

550

1070

700

0

200

400

600

800

1000

1200

Mbp

s

Suricata 2.0.9 Suricata 3.0.2 Suricata 3.2.4 Suricata 4.0.1 Suricata 4.0.1 --disable-gccmarch-native

Page 49: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Pattern Matching Algorithm Selection

1070

725

1200

1050

1150

0

200

400

600

800

1000

1200

1400

Mbp

s

AC AC-BS AC-KS HS PCRE-JIT

Page 50: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Suricata Thread Count Performance Impact

500

770 813

945

1070

850

0

200

400

600

800

1000

1200

MB

PS

1 Send/Receive 2 Send/Receive 4 Send/Receive

8 Send/Receive 16 Send/Receive 32 Send/Receive

Page 51: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Run Mode AutoFP vs. Workers

1070

575

0

200

400

600

800

1000

1200

MB

PS

AutoFP 16 Threads Workers 16 Threads

Page 52: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Comparing Detect Engine Profiles

900

1070

850 900

0

200

400

600

800

1000

1200

Mbp

s

Low Medium High Custom-High

Page 53: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

ETPro RuleSet Size Perf Impact

1200

1050 1070

915

1070

0

200

400

600

800

1000

1200

1400

MB

PS

1 Rule 12k Rules 37k Rules HomeNet ANY Thresholding Enabled

Page 54: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Lua, LuaJIT, IPRep 1070

970

1005

920

940

960

980

1000

1020

1040

1060

1080

Mbp

s

Baseline Lua LuaJIT

Page 55: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Suricata Performance w/Logging/FileExtract/PCAP

1070

350

980

700

550

0

200

400

600

800

1000

1200

Mbp

s

Standard File Logging File Store (HTTP Only) PCAP-AutoFP PCAP-Workers

Page 56: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Stats, Alert Logging, Network Profiling

1070

800

980 980

0

200

400

600

800

1000

1200

MB

PS

Baseline Network Profiling Alert Logging Alert Logging with Packet Data

Page 57: Suricata Performance Redux · 3. Most features have negligible impact on performance 1070 1000 980 980 800 700 900 350 0 200 400 600 800 1000 1200 MBPS Baseline Statistics Alert Logging

Rust!

1070

1010

960

900

920

940

960

980

1000

1020

1040

1060

1080

Mbp

s

Baseline Rust Rust w/Experimental Parsers