Hyperscan (for suricata and rspamd)

Just for notice:
While working an a better build of rspamd for arm I noticed upstream builds rspamd with hypserscan for el7. Suricata could be build with hyperscan too as done by the author of evebox:


https://copr.fedorainfracloud.org/coprs/jasonish/suricata-stable/

Have no idea what hypserscan does/brings to the table though.

2 Likes

Performance improvements.
When I looked into hyperscan I had no reliable way to measure performances. Time to retry it now that I have some tools: I have some rough scripts that I used to analyze suricata ET categories against some packet captures from malware.
Let’s move this topic to a new thread.

1 Like

Done… new topic created.

2 Likes

Some background on Hyperscan, in case anybody is interested. Hyperscan is an open source library for regex (Regular Expression) matching. It is mostly maintained by Intel, and is optimized for Intel’s instruction set. It was developed as a licensed product dating back to 2009, acquired by Intel, and open sourced in 2015. I am told that it is heavily optimized for Intel CPUs. It is my understanding that Titan-IC, an Irish company, is developing an open source version for Arm-based systems. More here: https://www.hyperscan.io/about/

1 Like

Some test results:

  1. suricata used to analyze a 1GB pcap on a VM on my Intel i7
    4.1.4: time elapsed 22.102s
    4.1.5: time elapsed 18.562s

  2. suricata running on AMD GX-412TC SOC to measure bandwidth (iperf)
    4.1.4: 139 Mbits/sec
    4.1.5: 143 Mbits/sec

Notes:

  • 4.1.5 has Hyperscan support.
  • No relevant improvement on AMD processor expected.
  • pcap file
2 Likes