Does Suricata slow down pfSense as much as Snort?
-
Using an APU2D4 (4x1Ghz, 4GB RAM) whenever I enable Snort traffic gets extremely slow. Running top I don't see cpu utilization spiking but it could be 20-30 seconds between page loads. I'm wondering if, since Suricata is multi-threaded, would it do the same thing? Does anyone have any performance experience moving from Snort to Suricata? Right now I just have the basic rules installed until I can get it performing properly.
Thanks for looking!
-
Running Suricata on multiple of these APU2 boxes, certainly don't observe any such issue. Perhaps your settings are suboptimal or your ruleset pretty insane. No info to debug anything here.
This is from an APU2 with Suricata on 3 interfaces:
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 86337 root 11 20 0 647M 293M uwait 3 340:35 3.47% suricata 88108 root 11 20 0 997M 700M uwait 2 361:14 3.27% suricata 89844 root 11 20 0 921M 650M uwait 2 241:11 3.27% suricata -
For snort set it to use "AC-BNFA-NQ"
-
Running Suricata on multiple of these APU2 boxes, certainly don't observe any such issue. Perhaps your settings are suboptimal or your ruleset pretty insane. No info to debug anything here.
This is from an APU2 with Suricata on 3 interfaces:
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 86337 root 11 20 0 647M 293M uwait 3 340:35 3.47% suricata 88108 root 11 20 0 997M 700M uwait 2 361:14 3.27% suricata 89844 root 11 20 0 921M 650M uwait 2 241:11 3.27% suricataThanks for giving me some examples. The unit I'm referencing when running slow doesn't appear to have any CPU spikes either with Snort. CPU looks fine. RAM looks fine. HDD looks fine (from what I can tell in top). It just makes web traffic slow.
The rules I'm using are:
emerging-activex.rules
emerging-attack_response.rules
emerging-botcc.portgrouped.rules
emerging-botcc.rules
emerging-ciarmy.rules
emerging-compromised.rules
emerging-current_events.rules
emerging-deleted.rules
emerging-dns.rules
emerging-dos.rules
emerging-dshield.rules
emerging-exploit.rules
emerging-imap.rules
emerging-malware.rules
emerging-mobile_malware.rules
emerging-policy.rules
emerging-rpc.rules
emerging-scan.rules
emerging-shellcode.rules
emerging-sql.rules
emerging-trojan.rules
emerging-user_agents.rules
emerging-voip.rules
emerging-web_client.rules
emerging-web_server.rules
emerging-web_specific_apps.rules
emerging-worm.rules -
Running a speed test, in my testing of another box (APU1D) Snort maxed out at around 6.5mbps with the limited ruleset. Suricata did the full 20mbps with all the rules checked (listed below). It's only a 20mbps fiber connection so that's about as much as I can test. I haven't tested on an APU2D yet but thought that would be helpful information for someone.
Snort GPLv2 Community Rules (VRT certified)
emerging-activex.rules
emerging-attack_response.rules
emerging-botcc.portgrouped.rules
emerging-botcc.rules
emerging-chat.rules
emerging-ciarmy.rules
emerging-compromised.rules
emerging-current_events.rules
emerging-deleted.rules
emerging-dns.rules
emerging-dos.rules
emerging-drop.rules
emerging-dshield.rules
emerging-exploit.rules
emerging-ftp.rules
emerging-games.rules
emerging-icmp.rules
emerging-icmp_info.rules
emerging-imap.rules
emerging-inappropriate.rules
emerging-info.rules
emerging-malware.rules
emerging-misc.rules
emerging-mobile_malware.rules
emerging-netbios.rules
emerging-p2p.rules
emerging-policy.rules
emerging-pop3.rules
emerging-rpc.rules
emerging-scada.rules
emerging-scan.rules
emerging-shellcode.rules
emerging-smtp.rules
emerging-snmp.rules
emerging-sql.rules
emerging-telnet.rules
emerging-tftp.rules
emerging-tor.rules
emerging-trojan.rules
emerging-user_agents.rules
emerging-voip.rules
emerging-web_client.rules
emerging-web_server.rules
emerging-web_specific_apps.rules
emerging-worm.rules -
I know it's been a month but I wanted to update with what I've found. I've installed the APU2d4 with Suricata instead of Snort. I'm not sure the best way to test but here is what I've done:
–-Enabled Squid
------Enabled Antivirus in Squid
------Enabled the enhanced ruleset from Sane Security
------Enabled Transparent Proxy
---Enabled SquidGuard
---Enabled Suricata on the WAN Port
------Checked "Install ETOpen Emerging Threat Rules"
------Checked "Install Snort Community Rules"
------Set up a sensor on the WAN port named "WAN"
------Enabled every rule on the "WAN Categories" Page.I then ran the Spectrum speed test at speedtest.bhn.net. I had to run it many times and disable all rules that were stopping the speed test from running. While Snort was stopping me at just a few MB/Sec Suricata allowed me to get the full speed of the pipe. Results are consistently between 340-350mbps. I think the contracted pipe is only 300mbps so they are getting a bit over. Top shows the idle down to just a few % so I think it's pretty much tapped out but that is much better than I was expecting. I'd think it's safe to say these can filter up to a 300mbps pipe comfortably without taking into account VPNs and such.
-
I'm not really surprised that Suricata outperforms Snort on high speed links. Suricata is multithreaded while Snort is not (yet). While the Snort folks published some papers a few years ago downplaying the importance of multithreading in a IDS, I think they must not have fully believed their own reporting because they are now working on a multithreaded version of Snort. The 3.0-ALPHA version is multithreaded. It has been in the works for maybe two years now, but is not yet ready for prime time.
Bill
-
I'm not really surprised that Suricata outperforms Snort on high speed links. Suricata is multithreaded while Snort is not (yet). While the Snort folks published some papers a few years ago downplaying the importance of multithreading in a IDS, I think they must not have fully believed their own reporting because they are now working on a multithreaded version of Snort. The 3.0-ALPHA version is multithreaded. It has been in the works for maybe two years now, but is not yet ready for prime time.
Bill
It's not just that it is better. It's the incredible difference! There are 4 cores so I would think that maybe a 4x speedup would be warranted. This is 50x better! And such low-end hardware is capable of such high throughput is awesome!
-
IDS/IPS are all CPU intensive. But I think your results are skewed.
There are a lot of variables to determine CPU usage beyond threads.
How many rules you are using is one of them, but more importantly the content of those rules.
A rule that only inspects IP, port and direction (like a floating firewall rule) is very CPU light.
On the other end a rule that has to inspect the IP, port, direction, header, and payload of a packet will take more CPU cycles.Multithreading is certainly great, but it isn't magic. My guess is that either something was wrong with your snort setup or you tested suricata with different rules than snort.
If suricata were 50x faster than snort, no one would use snort.
-
IDS/IPS are all CPU intensive. But I think your results are skewed.
There are a lot of variables to determine CPU usage beyond threads.
How many rules you are using is one of them, but more importantly the content of those rules.
A rule that only inspects IP, port and direction (like a floating firewall rule) is very CPU light.
On the other end a rule that has to inspect the IP, port, direction, header, and payload of a packet will take more CPU cycles.Multithreading is certainly great, but it isn't magic. My guess is that either something was wrong with your snort setup or you tested suricata with different rules than snort.
If suricata were 50x faster than snort, no one would use snort.
True. With Snort I tested with all rules enabled. With Suricata, I tested with all rules enabled. Even uninstalling / reinstalling Snort didn't help. Either way I'm impressed with the overall results of Suricata. Very quick.
