OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: deputycag on November 01, 2016, 01:29:44 pm

Title: IPS Question
Post by: deputycag on November 01, 2016, 01:29:44 pm

Can someone point me to more info on the Pattern Match option for IPS?  I am aware Hyperscan is by Intel and supposed to be the new and fastest option.  Just wanted to have more info on the three.  Thanks.

What does each do exactly?   and is Hyperscan supported on old Xeon Processor?

Default - 
Aho-Corasick -
Hyperscan -

Title: Re: IPS Question
Post by: franco on November 02, 2016, 12:54:50 pm

Hi,

The "Default" is Aho-Croasick, you can read a bout it here:

https://en.wikipedia.org/wiki/Aho%E2%80%93Corasick_algorithm

Suricata has it bundled by default, it was always selected since before Hyperscan was added.

Hyperscan works on amd64 + SSE3 processors, you'd have to check the dmesg output of your box to confirm. Some older Xeons do not have SSE3.


Cheers,
Franco

Title: Re: IPS Question
Post by: deputycag on November 02, 2016, 05:19:02 pm

Ok thank you. 

Would you happen to know if it's possible to skip IPS scanning on certain ports or ip address?  Bypass feature? 

Title: Re: IPS Question
Post by: franco on November 02, 2016, 07:27:59 pm

Hmm, good question. For now this could be done manually as the GUI support is not in there:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ignoring_Traffic

There was another topic that asked about how to add custom rules, I can't find it right now, but it's there.

If you want this to be added as a future feature please consider opening a ticket over at github:

https://github.com/opnsense/core/issues

The policy behind this is: if we have a feature reporter, it's easier to test and coordinate.


Thank you,
Franco