Hello there,
first of all thx for all the time you invest in development.
Is it possible to get an upgrade of hyperscan, 4.7.0 is more than 3 years old and hyerscan got some performance improvements over time with currently 5.2.1.5.0.0 is supported with suricata: https://github.com/OISF/suricata/blob/master/doc/userguide/performance/hyperscan.rstRight now you compile it with "core2" (SSE3)which results in not benefiting from SSE4.2, AVX2 and POPCNT (starting Haswell). This would improve performance further. Or do you compile with 'NATIVE' ?
I'm not familar with pkg mgmt, chances to get multiple configurations for that? Like choosing the appropriate hyperscan package?
https://github.com/intel/hyperscan/blob/90cd1863d64135323cae44606c6eff5fc76a1532/doc/dev-reference/getting_started.rst#fat-runtime
For ex. right now I've an "old" i3 which would support SSE4.2 and AVX2 (Released Q4/2014)
-------
Second question, snort rules have an ips policy within the file, right now "balanced" seems to be the default thats activated with snortrules-snapshot-29151.tar.gz (seems to work best with suricata 5.0.3). Any chances to get a field to choose which policy will be activated (beside the rules I've choosen myself)?
https://www.snort.org/faq/why-are-rules-commented-out-by-default
Quote
TL:DR
Update Hyperscan to 5.2.1- Compile Hyperscan to benefit from SSE4 and/or AVX2
- Make use of policys in IDS/IPS Rulesets (balanced, max-detect, etc)
Thanks for reading and your hard work!
Created a patch myself and wrote/sent the maintainer on FreeBSD Ports.
Got updated: https://github.com/freebsd/freebsd-ports/commit/c245ea082c9920167f214d9755d1c0138717afaf
@franco
Do you compile releases with "core2" or "native" cflags? Which cpu you use on the build machine?
EDIT: I saw you compile with "NATIVE":"off". Is it possible to get hyperscan with SSE4_2, POPCNT and AVX2 flags?
Hi,
No, NATIVE breaks inter-CPU portability. In this regard Hyperscan is already a pretty mess even without "native" CPU support.
Native support should always be compiled locally.
Cheers,
Franco
Okay thank you!
How I can install ports on OPNSense? or get postsnap?
Downloading the Repo as ZIP and trying to recompile hyperscan gives me the following message:
===> hyperscan-5.2.1 pkg(8) must be version 1.13.0 or greater, but you have
Did I miss something?
nvm, found it: https://docs.opnsense.org/manual/software_included.html
Quote from: XeroX on May 11, 2020, 12:52:09 PM
nvm, found it: https://docs.opnsense.org/manual/software_included.html
So what was needed was
opnsense-code ports tools
cd /usr/ports/devel/hyperscan/
make config
make reinstall??
Will this pull in the latest hyperscan?
Were you able to set the config to native after 'make config' ?
And do you have any benchmarks for native vs core2? There's a hsbench utility but I believe this doesn't get installed ...
The latest Hyperscan is already included in 20.1.7.
Cheers,
Franco