OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: XeroX on May 09, 2020, 07:24:34 pm

Title: Hyperscan and IPS Policy
Post by: XeroX on May 09, 2020, 07:24:34 pm

Hello there,
first of all thx for all the time you invest in development.

~~Is it possible to get an upgrade of hyperscan, 4.7.0 is more than 3 years old and hyerscan got some performance improvements over time with currently 5.2.1.~~

~~5.0.0 is supported with suricata: https://github.com/OISF/suricata/blob/master/doc/userguide/performance/hyperscan.rst~~

Right now you compile it with "core2" (SSE3)which results in not benefiting from SSE4.2, AVX2 and POPCNT (starting Haswell). This would improve performance further. Or do you compile with 'NATIVE' ?

I'm not familar with pkg mgmt, chances to get multiple configurations for that? Like choosing the appropriate hyperscan package?

https://github.com/intel/hyperscan/blob/90cd1863d64135323cae44606c6eff5fc76a1532/doc/dev-reference/getting_started.rst#fat-runtime

For ex. right now I've an "old" i3 which would support SSE4.2 and AVX2 (Released Q4/2014)
-------

Second question, snort rules have an ips policy within the file, right now "balanced" seems to be the default thats activated with snortrules-snapshot-29151.tar.gz (seems to work best with suricata 5.0.3). Any chances to get a field to choose which policy will be activated (beside the rules I've choosen myself)?

https://www.snort.org/faq/why-are-rules-commented-out-by-default

Quote

TL:DR
~~Update Hyperscan to 5.2.1~~
Compile Hyperscan to benefit from SSE4 and/or AVX2
Make use of policys in IDS/IPS Rulesets (balanced, max-detect, etc)

Thanks for reading and your hard work!

Title: Re: Hyperscan and IPS Policy
Post by: XeroX on May 10, 2020, 03:14:43 pm

~~Created a patch myself and wrote/sent the maintainer on FreeBSD Ports.~~

Got updated: https://github.com/freebsd/freebsd-ports/commit/c245ea082c9920167f214d9755d1c0138717afaf

@franco
Do you compile releases with "core2" or "native" cflags? Which cpu you use on the build machine?

EDIT: I saw you compile with "NATIVE":"off". Is it possible to get hyperscan with SSE4_2, POPCNT and AVX2 flags?

Title: Re: Hyperscan and IPS Policy
Post by: franco on May 11, 2020, 05:32:28 am

Hi,

No, NATIVE breaks inter-CPU portability. In this regard Hyperscan is already a pretty mess even without "native" CPU support.

Native support should always be compiled locally.

Cheers,
Franco

Title: Re: Hyperscan and IPS Policy
Post by: XeroX on May 11, 2020, 12:52:09 pm

Okay thank you!

How I can install ports on OPNSense? or get postsnap?

Downloading the Repo as ZIP and trying to recompile hyperscan gives me the following message:
===> hyperscan-5.2.1 pkg(8) must be version 1.13.0 or greater, but you have

Did I miss something?

nvm, found it: https://docs.opnsense.org/manual/software_included.html

Title: Re: Hyperscan and IPS Policy
Post by: harshw on May 25, 2020, 07:30:49 pm

Quote from: XeroX on May 11, 2020, 12:52:09 pm

nvm, found it: https://docs.opnsense.org/manual/software_included.html

So what was needed was

Code: [Select]

opnsense-code ports tools
cd /usr/ports/devel/hyperscan/ 
make config
make reinstall

??

Will this pull in the latest hyperscan?

Were you able to set the config to native after 'make config' ?

And do you have any benchmarks for native vs core2? There's a hsbench utility but I believe this doesn't get installed ...

Title: Re: Hyperscan and IPS Policy
Post by: franco on May 26, 2020, 07:41:35 am

The latest Hyperscan is already included in 20.1.7.

Cheers,
Franco