OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: XeroX on May 09, 2020, 07:24:34 pm
-
Hello there,
first of all thx for all the time you invest in development.
Is it possible to get an upgrade of hyperscan, 4.7.0 is more than 3 years old and hyerscan got some performance improvements over time with currently 5.2.1.
5.0.0 is supported with suricata: https://github.com/OISF/suricata/blob/master/doc/userguide/performance/hyperscan.rst
Right now you compile it with "core2" (SSE3)which results in not benefiting from SSE4.2, AVX2 and POPCNT (starting Haswell). This would improve performance further. Or do you compile with 'NATIVE' ?
I'm not familar with pkg mgmt, chances to get multiple configurations for that? Like choosing the appropriate hyperscan package?
https://github.com/intel/hyperscan/blob/90cd1863d64135323cae44606c6eff5fc76a1532/doc/dev-reference/getting_started.rst#fat-runtime
For ex. right now I've an "old" i3 which would support SSE4.2 and AVX2 (Released Q4/2014)
-------
Second question, snort rules have an ips policy within the file, right now "balanced" seems to be the default thats activated with snortrules-snapshot-29151.tar.gz (seems to work best with suricata 5.0.3). Any chances to get a field to choose which policy will be activated (beside the rules I've choosen myself)?
https://www.snort.org/faq/why-are-rules-commented-out-by-default
TL:DR
Update Hyperscan to 5.2.1- Compile Hyperscan to benefit from SSE4 and/or AVX2
- Make use of policys in IDS/IPS Rulesets (balanced, max-detect, etc)
Thanks for reading and your hard work!
-
Created a patch myself and wrote/sent the maintainer on FreeBSD Ports.
Got updated: https://github.com/freebsd/freebsd-ports/commit/c245ea082c9920167f214d9755d1c0138717afaf
@franco
Do you compile releases with "core2" or "native" cflags? Which cpu you use on the build machine?
EDIT: I saw you compile with "NATIVE":"off". Is it possible to get hyperscan with SSE4_2, POPCNT and AVX2 flags?
-
Hi,
No, NATIVE breaks inter-CPU portability. In this regard Hyperscan is already a pretty mess even without "native" CPU support.
Native support should always be compiled locally.
Cheers,
Franco
-
Okay thank you!
How I can install ports on OPNSense? or get postsnap?
Downloading the Repo as ZIP and trying to recompile hyperscan gives me the following message:
===> hyperscan-5.2.1 pkg(8) must be version 1.13.0 or greater, but you have
Did I miss something?
nvm, found it: https://docs.opnsense.org/manual/software_included.html
-
nvm, found it: https://docs.opnsense.org/manual/software_included.html
So what was needed was
opnsense-code ports tools
cd /usr/ports/devel/hyperscan/
make config
make reinstall
??
Will this pull in the latest hyperscan?
Were you able to set the config to native after 'make config' ?
And do you have any benchmarks for native vs core2? There's a hsbench utility but I believe this doesn't get installed ...
-
The latest Hyperscan is already included in 20.1.7.
Cheers,
Franco