[SOLVED] Hardware for 1Gb or 10Gb Suricata IPS

seed · March 04, 2020, 05:50:52 PM

Hallo

I am currently running a setup with a Intel Xeon E3-1220 v6 and Asus P10S-I Mainboard. The maximum IPS throughput is around 80 MB/sec (testet with iperf3). That is with 46502 drop rules. I have already disabled Flow control, energy efficient ethernet.......

While testing i have noticed that Suricata is utilizing a single core for a single interface. Is ist possible to optimize this behaviour? 1Gb IPS Throughput would be nice.

Or:

Which CPU is able to achieve this performance?

mimugmail · March 05, 2020, 09:34:23 AM

80MB/s is around 700Mbit .. isn't this good? :)
If you really need this throughput why not investing time tweaking the rules?

I'm quite sure 20000 rules are from 2015 and not affecting your systems ..

You need a high clock rate, i3 with 4Ghz might be faster than E3 with 2Ghz and more cores.

seed · April 09, 2020, 09:59:43 PM

Quick Update:

I testet with different hardware again:

Xeon E-2236
Asus P11C-M/4L
4x M391A1K43BB2-CTD

Same Results. The Xeon E-2236 with a much higher turbo clock speed is not that faster (around 4-5 MB faster)

seed · April 13, 2020, 12:57:49 PM

corection:

The Xeon E-2236 was not using turbo. Now Gigabit Throughput is reached.

l0rdraiden · April 22, 2020, 08:00:32 PM

Quote from: mimugmail on March 05, 2020, 09:34:23 AM
80MB/s is around 700Mbit .. isn't this good? :)
If you really need this throughput why not investing time tweaking the rules?

I'm quite sure 20000 rules are from 2015 and not affecting your systems ..

You need a high clock rate, i3 with 4Ghz might be faster than E3 with 2Ghz and more cores.

It might be a good idea to be able to configure the rules having them grouped by technology or date. For example if you usually patch you system maybe you can discard all the rules related with software vulnerabilities older that 1 year.
If pfsense many useful features are exposed in the interface like

https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html#define-servers-to-protect-and-improve-performance
https://docs.netgate.com/pfsense/en/latest/ids-ips/setup-snort-package.html#select-which-types-of-signatures-will-protect-the-network

The 90% of the stuff in https://docs.netgate.com/pfsense/en/latest/ids-ips/index.html#snort are not available in opnsense and basically you have similar options available in suricata to be exposed.

https://www.youtube.com/watch?v=KRlbkG9Bh6I

seed · April 23, 2020, 08:50:31 AM

I patch my systems regularly. In theory, I don't need an IPS. However, it was interesting to find out what hardware is required to achieve gigabit throughput. Independent of large rule optimizations.

This benchmark has helped to scale systems better to the requirements.
Now I know that the Xeon E-2236 has the necessary performance to run Suricata almost without compromise. I have not yet tested how 10Gbit with a reduced number of rulesets is possible.

[SOLVED] Hardware for 1Gb or 10Gb Suricata IPS

seed

March 04, 2020, 05:50:52 PM Last Edit: April 23, 2020, 10:42:54 AM by seed

mimugmail

March 05, 2020, 09:34:23 AM #1

seed

April 09, 2020, 09:59:43 PM #2

seed

April 13, 2020, 12:57:49 PM #3

l0rdraiden

April 22, 2020, 08:00:32 PM #4

seed

April 23, 2020, 08:50:31 AM #5