Suricata 4.1 better performance then the 4.0 version?

Started by xmichielx, January 08, 2019, 08:57:11 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 08, 2019, 08:57:11 AM
I see that the new 18.7.10 has Suricata 4.1.2 and was wondering if people find some performance differences with the former Suricata (4.0.*) version?
I already notices that the IPS performance was better with 4.0 over 3.* on an APU2C4 but am wondering if I should upgrade or wait for the 19.1 version which comes our later this month.
January 08, 2019, 09:25:51 AM #1
If you wait for 19.1 you can't compare the speed because 19.1 comes with a new kernel/OS (HardenendBSD 11.2) so you can't be sure if it was the OS or Suricata :)
January 08, 2019, 10:42:22 AM #2
We also have upcoming netmap changes later in 19.1.x and a Suricata netmap rework to look forward to...

https://twitter.com/inliniac/status/1072477815763857409

:)
January 08, 2019, 10:53:10 AM #3
Ha! Then I wait for the 19.1 version, will that also include the reworked netmap from Victor Julien?
January 08, 2019, 06:48:39 PM #4
PS, I am still very interested in some results or experiences with this new Suricata 4.1.2 version in regards to the older 4.0.* version from OPNsense users :)
January 08, 2019, 07:03:37 PM #5
Just update and test on you own. I dont think there will be a dramatic boost.
January 09, 2019, 01:25:59 PM #6
I've noticed not a big difference indeed, I do notice some new flowbit errors:

Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.DocVBAProject' is checked but not set. Checked in 2020170 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.MSSQL' is checked but not set. Checked in 2020569 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ETPRO.RTF' is checked but not set. Checked in 2020700 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.MCOFF' is checked but not set. Checked in 2022303 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.autoit.ua' is checked but not set. Checked in 2019165 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.IE7.NoRef.NoCookie' is checked but not set. Checked in 2023671 and 4 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'min.gethttp' is checked but not set. Checked in 2023711 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.pdf.in.http' is checked but not set. Checked in 2017790 and 0 other sigs
Jan  9 13:24:35 vuurmuur.protegam.lan suricata[44215]: [100108] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.CVE20157547.primer' is checked but not set. Checked in 2022547 and 0 other sigs


Not sure if this is an issue but the rest of rules work fine :)
January 10, 2019, 09:37:01 AM #7
Victors rework and the netmap help from Sensei guys will take a while to finish so for now it's just 4.1 and 11.2 in 19.1 to look forward too. The reset will be picked up on our way to 19.7 and beyond.
Print
Go Up Pages1
User actions