Suricata Performance on SG-3100 vs Unifi Dream Machine
-
The SG-3100 has a CPU of ARM Cortex-A9 at 1.6 GHz, and I was looking at the Unifi Dream Machine with a Arm Cortex-A57 Quad-Core at 1.7 GHz.
So, it would seem these CPUs are similar in performance (but not the same).
In a recent online review, the guy shows iptraf maxing out at 9Gbps with Suricata enabled. However, on my SG-3100, Suricata maxes out the CPU at 100Mbps internet download. I only have minimal categories of signatures enabled (a few ET Pro and Snort Community categories).
Just curious if anyone has successfully tuned Suricata and what steps they have taken to get the best performance/security balance.
-
It's really packets per second (pps) that matter in these benchmarks. See, I can send 10,000 8KB jumbo frame packets chock full of data each and then claim about 655 MBits/sec of throughput (8192 bytes x 8 = 65,536 bits per packet x 10,000 packets/sec = 655 MBits/sec). However, if those same 10,000 packets were only 64-byte UDP packets, for example, now my throughput is only 5.1 Mbits/sec (64 bytes x 8 = 512 bits per packet X 10,000 packets/sec = 5.12 Mbits/sec). But in both cases the firewall is essentially doing the same amount of work by processing those 10,000 packets per second. Real world network traffic is a mixture of full-frame payloads and small payloads. When doing performance test benchmarks, especially for "selling points", some amount of "poetic license" is taken to make the results look their best.
So my point is that when comparing raw Megabits/second throughput make sure you know the frame size and the data payload size used for the test. What really matters is how many packets per second the firewall can handle. There is usually no big penalty with the size of a given packet, it's the overhead of processing the packet itself that matters most. To make sure you are comparing apples to apples, find out what frame size and data payload was used for the test. Was the frame's payload completely filled, or was it just a tiny payload?
In terms of tuning Suricata, there are a few articles to be found on the web, but don't expect some precise cookbook process of do this, then this and finally this to get petabits/sec performance ... . The amount of free RAM, the number and types of enabled rules and finally the specific configuration of Suricata's various run modes and CPU core affinity settings determine packet processing throughput. There are also tweakable parameters for the various NIC drivers that influence throughput.
The pfSense Suricata package uses the same general defaults that are shipped in the Suricata source code. There is room for tweaking performance with specific hardware combinations. That tweaking would be a blend of Suricata config changes and adjustments to various
sysctl
parameters in the OS kernel.