OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: fabian on July 28, 2017, 08:15:49 pm

Title: [CALL FOR TESTING] Suricata 4.0.0
Post by: fabian on July 28, 2017, 08:15:49 pm
Hi all,

Suricata 4.0 is out and I asked Franco to build it for 17.7. It will not be included in the stable version but it can be installed via the shell by running the following command:

Code: [Select]
pkg install https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz
In a short test it still works without changing the GUI. Note: If you are having Suricata running, you will have to to restart it after installation. You can do that in the GUI.
Title: Re: Suricata 4
Post by: phoenix on July 28, 2017, 09:06:38 pm
Hi

I've just tried that on my 17.7R2 and got the following:

Code: [Select]
root@OPNsense:~ # pkg install https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz' have been found in the repositories
The file does appear in the list if I browse to that address, have I missed something?
Title: Re: Suricata 4
Post by: franco on July 28, 2017, 09:07:20 pm
Almost...

# pkg add -f https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz

Note this package is for amd64, and the current release version can be restored with:

# opnsense-revert suricata


Cheers,
Franco
Title: Re: Suricata 4
Post by: phoenix on July 28, 2017, 09:18:03 pm
Hi Franco

Thanks for that, it worked and is up and running. :) Anything specific in this version that we should be aware of.
Title: Re: Suricata 4
Post by: franco on July 28, 2017, 09:26:56 pm
Hi Bill,

I haven't gone through the list of changes in detail. The port update was very easy, the syntax gave no issues in the yaml, I'd say it's a straight-forward update with small bits of numerous improvements in all areas:

https://github.com/inliniac/suricata/blob/b8428378ac6fb2365337ae765e19dfc0f4548e4a/ChangeLog#L1-L95


Cheers,
Franco
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: franco on August 01, 2017, 10:50:48 am
I'm hijacking this thread for a general-purpose call for testing. The port was just finished[1]. It seems to work just fine.

To install:

# pkg add -f https://pkg.opnsense.org/snapshots/suricata-4.0.0.txz

To revert:

# opnsense-revert suricata

Don't forget to restart Suricata for the new version to take effect.

Will a few more people on 17.7 amd64 ack/nak this version bump?


Cheers,
Franco

--
[1] https://github.com/opnsense/ports/commit/67e8ed627e
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: phoenix on August 01, 2017, 01:23:59 pm
Hi Franco

There's a message displayed after the install:

Code: [Select]
You may want to try BPF in zerocopy mode to test performance improvements:

        sysctl -w net.bpf.zerocopy_enable=1

Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.conf
Is it suggested we apply that or just leave it as-is?
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: franco on August 01, 2017, 02:26:52 pm
BPF is for PCAP mode (non-IPS). It doesn't hurt to try this setting, if it brings performance gains, but can also be safely ignored.
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: phoenix on August 01, 2017, 03:38:14 pm
BPF is for PCAP mode (non-IPS). It doesn't hurt to try this setting, if it brings performance gains, but can also be safely ignored.
Thanks for that information. I'll try enabling it and see what happens but my server is lightly loaded anyway so I guess I won't see much difference, if any.
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: Noctur on August 01, 2017, 10:44:02 pm
Running for a day now.. Seems to be working similarly to 3.x. Smooth transition.
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: Julien on August 01, 2017, 11:16:22 pm
I have a And hardware,
any specific thing to test ?
I can install it on a production with 1 gbps connection
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: franco on August 02, 2017, 06:30:58 am
Nothing special, just generally looking for positive feedback to upgrade. So far it looks seamless as far as 3.2.3 -> 4.0.0 goes.


Thanks,
Franco
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: mw01 on August 03, 2017, 12:34:12 am
Upgraded from 17.1.11 to 17.7 and Suricata 4.0.0.  Went smoothly, no issues.  apu2 AMD GX-412TC SOC (4 cores)
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: franco on August 03, 2017, 07:23:41 am
I'll get an ok from the core team just to be sure... I think it looks good for inclusion in 17.7.1.

Thank you all <3
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: xmichielx on August 28, 2017, 04:36:52 pm
Upgraded from 17.1.11 to 17.7 and Suricata 4.0.0.  Went smoothly, no issues.  apu2 AMD GX-412TC SOC (4 cores)

Did you test with bandwidth tests? Find a difference in performance when testing through your APU2? I experienced much better bandwidth performance with 4.* then with the 3.* series of Suricata.
Please let us know if you also experience less of a cap on your bandwidth with Suricata 4.*
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: Julien on August 28, 2017, 07:06:34 pm
Hi Guys,
i am buying a new hardware for tested purposed .
What Kind of NIC are advised for beter performance ?

Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: phoenix on August 28, 2017, 08:31:42 pm
What kind of NIC do you have now? A NIC won't necessarily give you better performance but choosing a 'poor' NIC can reduce your throughput or or fail to work. I'd suggest anything Intel (relative recent model) would be fine. You can also check the freeBSD lists/site for compatible hardware. You also haven't mentioned what kind of hardware you currently have. I'd also suggest you search through the forums for some threads/posts on this topic.
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: Julien on August 28, 2017, 10:53:12 pm
What i have right now
Intel i5 3317U
8gb of ra
64 ssd disk ( don't know if 120gb) is need
8 NIC intel 82583 V gigabit

Thank you
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: mw01 on September 01, 2017, 01:01:58 pm
Yes, I have conducted bandwidth tests.  I am still limited by ISP provisioning (~90Mbs).  What I have observed is lower cpu utilization with 4.0.0.
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: Julien on September 01, 2017, 01:16:18 pm
Yes, I have conducted bandwidth tests.  I am still limited by ISP provisioning (~90Mbs).  What I have observed is lower cpu utilization with 4.0.0.
what about the speed?
i have ordered my new hardware and still waiting for it hopefully next week will arrive.
what is your currently internet speed? how much is it after you enable Suricata?
Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: mw01 on September 01, 2017, 01:50:56 pm
~90Mbs, depending on time of day (with the "optimal" server at the other end). 

Suricata is not the limiting factor.  It's the ISP pipe.  I have not performed testing with a Gb WAN connection.  If I extrapolate cpu loading I might see another 30Mbps or so.

Suricata loading is also a function of the rule set.  The more you check the more the loading.

Title: Re: [CALL FOR TESTING] Suricata 4.0.0
Post by: Julien on September 06, 2017, 11:10:09 pm
Hi Guys,
I have been using this for over 3 days now,
my speed drop really from 1000Mbps to 90Mbps when the Suricata is on.
Hardware I am using is
CPU Intel® I53317U Dual Core 4 Threads(1.8GHz)
Chipeset Intel® HM65 Express Chipset
Memory 1* SO DDR3,1333MHz, 8 GB
HDD Samsung SSD 950
Ethernet  6*Intel® 82583V Gigabit Ethernet


Thank you