Suricata 4.1 better performance then the 4.0 version?

[xmichielx]

I see that the new 18.7.10 has Suricata 4.1.2 and was wondering if people find some performance differences with the former Suricata (4.0.*) version?
I already notices that the IPS performance was better with 4.0 over 3.* on an APU2C4 but am wondering if I should upgrade or wait for the 19.1 version which comes our later this month.

[mimugmail]

If you wait for 19.1 you can't compare the speed because 19.1 comes with a new kernel/OS (HardenendBSD 11.2) so you can't be sure if it was the OS or Suricata

[franco]

We also have upcoming netmap changes later in 19.1.x and a Suricata netmap rework to look forward to...

https://twitter.com/inliniac/status/1072477815763857409

[xmichielx]

Ha! Then I wait for the 19.1 version, will that also include the reworked netmap from Victor Julien?

[xmichielx]

PS, I am still very interested in some results or experiences with this new Suricata 4.1.2 version in regards to the older 4.0.* version from OPNsense users

[mimugmail]

Just update and test on you own. I dont think there will be a dramatic boost.

[xmichielx]

I've noticed not a big difference indeed, I do notice some new flowbit errors:

Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 4 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017790 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.CVE20157547.primer' is checked but not set. Checked in 2022547 and 0 other sigs

Not sure if this is an issue but the rest of rules work fine

[franco]

Victors rework and the netmap help from Sensei guys will take a while to finish so for now it's just 4.1 and 11.2 in 19.1 to look forward too. The reset will be picked up on our way to 19.7 and beyond.