Plaisirs et désillusions du monde moderne
Following my preceding post on suricata multithread performance I’ve decided to continue to work on the subject. By using perf-tool, I found out that when the number of detect threads was increasing, more and more time was used in a spin lock. One of the possible explanation is that the default running mode for pcap … Continue reading “More about Suricata multithread performance”
New features in ulogd 2.0.3 release Database framework update ulogd 2.0.3 implements two new optional modes for database connections: backlog system to avoid event loss in case of database downtime running mode where acquisition is made in one thread and queries to databases are made in separate threads to reduce latency in the treatment of … Continue reading “What’s new in ulogd 2.0.3”
Introduction Perf is a great tool to analyse performances on Linux boxes. For example, perf top will give you this type of output on a box running Suricata on a high speed network: Events: 32K cycles 28.41% suricata [.] SCACSearch 19.86% libc-2.15.so [.] tolower 17.83% suricata [.] SigMatchSignaturesBuildMatchArray 6.11% suricata [.] SigMatchSignaturesBuildMatchArrayAddSignature 2.06% suricata [.] … Continue reading “Using linux perf tools for Suricata performance analysis”
Some new features I’ve just pushed to ulogd tree a series of patches. They bring two major improvements to database handling: Backlog system: temporary store SQL query in memory if database is down. Ring buffer system: a special mode with a thread to read data from kernel and a thread to do the SQL query. … Continue reading “Some ulogd db improvements”
Introduction NFQUEUE is an iptables and ip6tables target which delegate the decision on packets to a userspace software. For example, the following rule will ask for a decision to a listening userpsace program for all packet going to the box: iptables -A INPUT -j NFQUEUE –queue-num 0 In userspace, a software must used libnetfilter_queue to … Continue reading “Using NFQUEUE and libnetfilter_queue”
Introduction Kernel oops have been reported by some users running Suricata with AF_PACKET multiple thread capture activated. This is due to a bug I’ve introduced in AF_PACKET when fixing an other bug. Which kernel not to use with Suricata in AF_PACKET mode The following kernel version will surely crash if Suricata or any other program … Continue reading “About Suricata and a kernel oops in AF_PACKET”
A new Suricata IPS mode Suricata IPS capabilities are not new. It is possible to use Suricata with Netfilter or ipfw to build a state-of-the-art IPS. On Linux, this system has not the best throughput performance. Patrick McHardy’s work on netlink: memory mapped I/O should bring some real improvement but this is not yet available. … Continue reading “New AF_PACKET IPS mode in Suricata”
Introduction Since the beginning of July 2012, OISF team is able to access to a server where one interface is receiving some mirrored real European traffic. When reading "some", think between 5Gbps and 9.5Gbps constant traffic. With that traffic, this is around 1Mpps to 1.5M packet per seconds we have to study. The box itself … Continue reading “Suricata, to 10Gbps and beyond”
Victor Julien has just pushed a new feature to suricata’s git tree. It brings improvements to the AF_PACKET capture mode. This capture mode can be used on Linux. It is the native way to capture packet. Suricata is able to use the interesting new multithreading feature provided by AF_PACKET on recent kernels: it is possible … Continue reading “Using AF_PACKET zero copy mode in Suricata”
Some new features have recently reach Suricata’s git tree and will be available in the next development release. I’ve worked on some of them that I will describe here. Multi interfaces support and new running modes Configuration update IDS live mode in suricata (pcap, pf_ring, af_packet) now supports the capture on multiple interfaces. The syntax … Continue reading “Acquisition systems and running modes evolution of Suricata”