Hi all,
Suricata 4.0 is out and I asked Franco to build it for 17.7. It will not be included in the stable version but it can be installed via the shell by running the following command:
pkg install https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz
In a short test it still works without changing the GUI. Note: If you are having Suricata running, you will have to to restart it after installation. You can do that in the GUI.
Hi
I've just tried that on my 17.7R2 and got the following:
root@OPNsense:~ # pkg install https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz' have been found in the repositoriesThe file does appear in the list if I browse to that address, have I missed something?
Almost...
# pkg add -f https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz
Note this package is for amd64, and the current release version can be restored with:
# opnsense-revert suricata
Cheers,
Franco
Hi Franco
Thanks for that, it worked and is up and running. :) Anything specific in this version that we should be aware of.
Hi Bill,
I haven't gone through the list of changes in detail. The port update was very easy, the syntax gave no issues in the yaml, I'd say it's a straight-forward update with small bits of numerous improvements in all areas:
https://github.com/inliniac/suricata/blob/b8428378ac6fb2365337ae765e19dfc0f4548e4a/ChangeLog#L1-L95
Cheers,
Franco
I'm hijacking this thread for a general-purpose call for testing. The port was just finished[1]. It seems to work just fine.
To install:
# pkg add -f https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz
To revert:
# opnsense-revert suricata
Don't forget to restart Suricata for the new version to take effect.
Will a few more people on 17.7 amd64 ack/nak this version bump?
Cheers,
Franco
--
[1] https://github.com/opnsense/ports/commit/67e8ed627e
Hi Franco
There's a message displayed after the install:
You may want to try BPF in zerocopy mode to test performance improvements:
sysctl -w net.bpf.zerocopy_enable=1
Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.confIs it suggested we apply that or just leave it as-is?
BPF is for PCAP mode (non-IPS). It doesn't hurt to try this setting, if it brings performance gains, but can also be safely ignored.
Quote from: franco on August 01, 2017, 02:26:52 PM
BPF is for PCAP mode (non-IPS). It doesn't hurt to try this setting, if it brings performance gains, but can also be safely ignored.
Thanks for that information. I'll try enabling it and see what happens but my server is lightly loaded anyway so I guess I won't see much difference, if any.
Running for a day now.. Seems to be working similarly to 3.x. Smooth transition.
I have a And hardware,
any specific thing to test ?
I can install it on a production with 1 gbps connection
Nothing special, just generally looking for positive feedback to upgrade. So far it looks seamless as far as 3.2.3 -> 4.0.0 goes.
Thanks,
Franco
Upgraded from 17.1.11 to 17.7 and Suricata 4.0.0. Went smoothly, no issues. apu2 AMD GX-412TC SOC (4 cores)
I'll get an ok from the core team just to be sure... I think it looks good for inclusion in 17.7.1.
Thank you all <3
Quote from: mw01 on August 03, 2017, 12:34:12 AM
Upgraded from 17.1.11 to 17.7 and Suricata 4.0.0. Went smoothly, no issues. apu2 AMD GX-412TC SOC (4 cores)
Did you test with bandwidth tests? Find a difference in performance when testing through your APU2? I experienced much better bandwidth performance with 4.* then with the 3.* series of Suricata.
Please let us know if you also experience less of a cap on your bandwidth with Suricata 4.*
Hi Guys,
i am buying a new hardware for tested purposed .
What Kind of NIC are advised for beter performance ?
What kind of NIC do you have now? A NIC won't necessarily give you better performance but choosing a 'poor' NIC can reduce your throughput or or fail to work. I'd suggest anything Intel (relative recent model) would be fine. You can also check the freeBSD lists/site for compatible hardware. You also haven't mentioned what kind of hardware you currently have. I'd also suggest you search through the forums for some threads/posts on this topic.
What i have right now
Intel i5 3317U
8gb of ra
64 ssd disk ( don't know if 120gb) is need
8 NIC intel 82583 V gigabit
Thank you
Yes, I have conducted bandwidth tests. I am still limited by ISP provisioning (~90Mbs). What I have observed is lower cpu utilization with 4.0.0.
Quote from: mw01 on September 01, 2017, 01:01:58 PM
Yes, I have conducted bandwidth tests. I am still limited by ISP provisioning (~90Mbs). What I have observed is lower cpu utilization with 4.0.0.
what about the speed?
i have ordered my new hardware and still waiting for it hopefully next week will arrive.
what is your currently internet speed? how much is it after you enable Suricata?
~90Mbs, depending on time of day (with the "optimal" server at the other end).
Suricata is not the limiting factor. It's the ISP pipe. I have not performed testing with a Gb WAN connection. If I extrapolate cpu loading I might see another 30Mbps or so.
Suricata loading is also a function of the rule set. The more you check the more the loading.
Hi Guys,
I have been using this for over 3 days now,
my speed drop really from 1000Mbps to 90Mbps when the Suricata is on.
Hardware I am using is
CPU Intel® I53317U Dual Core 4 Threads(1.8GHz)
Chipeset Intel® HM65 Express Chipset
Memory 1* SO DDR3,1333MHz, 8 GB
HDD Samsung SSD 950
Ethernet 6*Intel® 82583V Gigabit Ethernet
Thank you