Hyperscan and IPS Policy

Started by XeroX, May 09, 2020, 07:24:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 09, 2020, 07:24:34 PM Last Edit: May 10, 2020, 11:51:16 PM by XeroX
Hello there,
first of all thx for all the time you invest in development.

Is it possible to get an upgrade of hyperscan, 4.7.0 is more than 3 years old and hyerscan got some performance improvements over time with currently 5.2.1.

5.0.0 is supported with suricata: https://github.com/OISF/suricata/blob/master/doc/userguide/performance/hyperscan.rst

Right now you compile it with "core2" (SSE3)which results in not benefiting from SSE4.2, AVX2 and POPCNT (starting Haswell). This would improve performance further. Or do you compile with 'NATIVE' ?

I'm not familar with pkg mgmt, chances to get multiple configurations for that? Like choosing the appropriate hyperscan package?

https://github.com/intel/hyperscan/blob/90cd1863d64135323cae44606c6eff5fc76a1532/doc/dev-reference/getting_started.rst#fat-runtime

For ex. right now I've an "old" i3 which would support SSE4.2 and AVX2 (Released Q4/2014)
-------

Second question, snort rules have an ips policy within the file, right now "balanced" seems to be the default thats activated with snortrules-snapshot-29151.tar.gz (seems to work best with suricata 5.0.3). Any chances to get a field to choose which policy will be activated (beside the rules I've choosen myself)?

https://www.snort.org/faq/why-are-rules-commented-out-by-default


Quote
TL:DR

  • Update Hyperscan to 5.2.1
  • Compile Hyperscan to benefit from SSE4 and/or AVX2
  • Make use of policys in IDS/IPS Rulesets (balanced, max-detect, etc)


Thanks for reading and your hard work!
May 10, 2020, 03:14:43 PM #1 Last Edit: May 10, 2020, 11:52:45 PM by XeroX
Created a patch myself and wrote/sent the maintainer on FreeBSD Ports.

Got updated: https://github.com/freebsd/freebsd-ports/commit/c245ea082c9920167f214d9755d1c0138717afaf

@franco
Do you compile releases with "core2" or "native" cflags? Which cpu you use on the build machine?

EDIT: I saw you compile with "NATIVE":"off". Is it possible to get hyperscan with SSE4_2, POPCNT and AVX2 flags?
May 11, 2020, 05:32:28 AM #2
Hi,

No, NATIVE breaks inter-CPU portability. In this regard Hyperscan is already a pretty mess even without "native" CPU support.

Native support should always be compiled locally.


Cheers,
Franco
May 11, 2020, 12:52:09 PM #3 Last Edit: May 11, 2020, 01:00:51 PM by XeroX
Okay thank you!

How I can install ports on OPNSense? or get postsnap?

Downloading the Repo as ZIP and trying to recompile hyperscan gives me the following message:
===>  hyperscan-5.2.1 pkg(8) must be version 1.13.0 or greater, but you have

Did I miss something?

nvm, found it: https://docs.opnsense.org/manual/software_included.html
May 25, 2020, 07:30:49 PM #4
Quote from: XeroX on May 11, 2020, 12:52:09 PM

nvm, found it: https://docs.opnsense.org/manual/software_included.html

So what was needed was

Code Select
opnsense-code ports tools
cd /usr/ports/devel/hyperscan/
make config
make reinstall

??

Will this pull in the latest hyperscan?

Were you able to set the config to native after 'make config' ?

And do you have any benchmarks for native vs core2? There's a hsbench utility but I believe this doesn't get installed ...
May 26, 2020, 07:41:35 AM #5
The latest Hyperscan is already included in 20.1.7.


Cheers,
Franco
Print
Go Up Pages1
User actions