Discussion:
Hardware Acceleration / Suricata
Dan Murphy
2013-04-30 18:17:04 UTC
Permalink
I'd be interested to know how the experiences have been of those of you
running a hardware accelerated Suricata .. be it via napatech, endace
etc... What kind of rates you're getting ( yes I realize that greatly
depends on ruleset any data is more then the zero data I have now). What
exactly is accelerated ( like is it just pcap or pattern matching as well
).

I guess .. any recommendations in general would be greatly appreciated.


cheers,
Dan
rmkml
2013-04-30 20:25:42 UTC
Permalink
Hi Dan,

First thx for all community devs/users.

That a very (old) good question! (hardware/software)

Depend if you need IDS or IPS/inline mode...

hardware accelerated / software accelerated = comparing price/results ?

software with like pfring/afpacket and suricata = around 10Gbps in IDS
mode on classical x86_64 cpus...

or hardware (40Gbps) libpcap accelerated like endace/emulex or napatech or
npulse ... (+x86_64 cpus)

or full hardware accelerated like tilera TILExtreme-Gx at 160Gbps... (all not tested)

Futur: Suricata accelerated by GPU ?

Regards
Rmkml

https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
http://packetchaser.org/index.php/opensource/suricata-10gbps
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Endace_DAG
http://suricata-ids.org/2012/12/21/oisf-welcomes-tilera-as-a-gold-level-consortium-member/
I'd be interested to know how the experiences have been of those of you running a hardware accelerated Suricata .. be it via napatech, endace etc...  What kind of rates you're getting ( yes I realize that
greatly depends on ruleset any data is more then the zero data I have now).  What exactly is accelerated ( like is it just pcap or pattern matching as well ).  
I guess .. any recommendations in general would be greatly appreciated. 
cheers,
Dan
Dan Murphy
2013-04-30 20:32:54 UTC
Permalink
1.) IDS

2.) I'm not worried about price as that's usually different depending on
your purchasing power anyway

3.) I looked into the GPU / CUDA stuff and it seemed to me ( anyone feel
free to correct me ) consensus was that it wasn't really much of a gain in
performance at this point and probably wasn't ready for primetime... I'm
eager to be proven wrong on that though ;)


Thanks,
Dan
Post by rmkml
Hi Dan,
First thx for all community devs/users.
That a very (old) good question! (hardware/software)
Depend if you need IDS or IPS/inline mode...
hardware accelerated / software accelerated = comparing price/results ?
software with like pfring/afpacket and suricata = around 10Gbps in IDS
mode on classical x86_64 cpus...
or hardware (40Gbps) libpcap accelerated like endace/emulex or napatech or
npulse ... (+x86_64 cpus)
or full hardware accelerated like tilera TILExtreme-Gx at 160Gbps... (all not tested)
Futur: Suricata accelerated by GPU ?
Regards
Rmkml
https://home.regit.org/2012/**07/suricata-to-10gbps-and-**beyond/<https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/>
http://packetchaser.org/index.**php/opensource/suricata-10gbps<http://packetchaser.org/index.php/opensource/suricata-10gbps>
https://redmine.**openinfosecfoundation.org/**
projects/suricata/wiki/Endace_**DAG<https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Endace_DAG>
http://suricata-ids.org/2012/**12/21/oisf-welcomes-tilera-as-**
a-gold-level-consortium-**member/<http://suricata-ids.org/2012/12/21/oisf-welcomes-tilera-as-a-gold-level-consortium-member/>
I'd be interested to know how the experiences have been of those of you
Post by Dan Murphy
running a hardware accelerated Suricata .. be it via napatech, endace
etc... What kind of rates you're getting ( yes I realize that
greatly depends on ruleset any data is more then the zero data I have
now). What exactly is accelerated ( like is it just pcap or pattern
matching as well ).
I guess .. any recommendations in general would be greatly appreciated.
cheers,
Dan
Dan Murphy
2013-04-30 20:35:45 UTC
Permalink
And I would add to that... It would be handy to know which vendors force
you into their own branch of suricata hence losing you the freedom to
download the latest version and recompile features in as needed.


Thanks,
Dan
Post by Dan Murphy
1.) IDS
2.) I'm not worried about price as that's usually different depending on
your purchasing power anyway
3.) I looked into the GPU / CUDA stuff and it seemed to me ( anyone feel
free to correct me ) consensus was that it wasn't really much of a gain in
performance at this point and probably wasn't ready for primetime... I'm
eager to be proven wrong on that though ;)
Thanks,
Dan
Post by rmkml
Hi Dan,
First thx for all community devs/users.
That a very (old) good question! (hardware/software)
Depend if you need IDS or IPS/inline mode...
hardware accelerated / software accelerated = comparing price/results ?
software with like pfring/afpacket and suricata = around 10Gbps in IDS
mode on classical x86_64 cpus...
or hardware (40Gbps) libpcap accelerated like endace/emulex or napatech
or npulse ... (+x86_64 cpus)
or full hardware accelerated like tilera TILExtreme-Gx at 160Gbps... (all not tested)
Futur: Suricata accelerated by GPU ?
Regards
Rmkml
https://home.regit.org/2012/**07/suricata-to-10gbps-and-**beyond/<https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/>
http://packetchaser.org/index.**php/opensource/suricata-10gbps<http://packetchaser.org/index.php/opensource/suricata-10gbps>
https://redmine.**openinfosecfoundation.org/**
projects/suricata/wiki/Endace_**DAG<https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Endace_DAG>
http://suricata-ids.org/2012/**12/21/oisf-welcomes-tilera-as-**
a-gold-level-consortium-**member/<http://suricata-ids.org/2012/12/21/oisf-welcomes-tilera-as-a-gold-level-consortium-member/>
I'd be interested to know how the experiences have been of those of you
Post by Dan Murphy
running a hardware accelerated Suricata .. be it via napatech, endace
etc... What kind of rates you're getting ( yes I realize that
greatly depends on ruleset any data is more then the zero data I have
now). What exactly is accelerated ( like is it just pcap or pattern
matching as well ).
I guess .. any recommendations in general would be greatly appreciated.
cheers,
Dan
Randy Caldejon
2013-05-01 00:34:30 UTC
Permalink
Hi Dan,

nPulse, which is the company that I am associated with, implemented and contributed the support for Napatech adapters. It is part of the main branch and available to all. I believe the same is true for Endace.

As a side note, Tom DeCanio, who use to worked for Tilera (now is with nPulse) also did a port for Tilera (www.tilera.com). I believe that code will be making it's way to the main branch eventually.

-- Randy
And I would add to that... It would be handy to know which vendors force you into their own branch of suricata hence losing you the freedom to download the latest version and recompile features in as needed.
Thanks,
Dan
1.) IDS
2.) I'm not worried about price as that's usually different depending on your purchasing power anyway
3.) I looked into the GPU / CUDA stuff and it seemed to me ( anyone feel free to correct me ) consensus was that it wasn't really much of a gain in performance at this point and probably wasn't ready for primetime... I'm eager to be proven wrong on that though ;)
Thanks,
Dan
Hi Dan,
First thx for all community devs/users.
That a very (old) good question! (hardware/software)
Depend if you need IDS or IPS/inline mode...
hardware accelerated / software accelerated = comparing price/results ?
software with like pfring/afpacket and suricata = around 10Gbps in IDS mode on classical x86_64 cpus...
or hardware (40Gbps) libpcap accelerated like endace/emulex or napatech or npulse ... (+x86_64 cpus)
or full hardware accelerated like tilera TILExtreme-Gx at 160Gbps... (all not tested)
Futur: Suricata accelerated by GPU ?
Regards
Rmkml
https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
http://packetchaser.org/index.php/opensource/suricata-10gbps
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Endace_DAG
http://suricata-ids.org/2012/12/21/oisf-welcomes-tilera-as-a-gold-level-consortium-member/
I'd be interested to know how the experiences have been of those of you running a hardware accelerated Suricata .. be it via napatech, endace etc... What kind of rates you're getting ( yes I realize that
greatly depends on ruleset any data is more then the zero data I have now). What exactly is accelerated ( like is it just pcap or pattern matching as well ).
I guess .. any recommendations in general would be greatly appreciated.
cheers,
Dan
_______________________________________________
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/
_______________________________________________
Suricata IDS Users mailing list: oisf-users-***@public.gmane.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
OISF: http://www.openinfosecfoundation.org/

Loading...