In a suricon presentation Suricata prefilter, it is mentionned that simply enabling prefilter on assymetrical links can bring 10%+ performance improvement.
Is there documentation how to enable prefilters?
What are the drawback of enabling prefilters?
Is there any link between bypass signatures and dpdk prefilters?
Hi Francois,
DPDK Prefilter is not yet officially part of the Suricata codebase but it is currently residing on my Github branch suricata/dpdk/prefilter at feat/5203-primary-app-v14 · lukashino/suricata · GitHub
The instructions are right on the Github readme page. If you would have problems I can help you out.
In short pros/cons:
Benefits - more effective packet prefiltration (bypass)
Drawbacks - a bit more complicated architecture - you have one extra app running.
I think it can be beneficial especially if you have a lot of traffic to bypass. Regardless I’ll be glad for any feedback.
And to address the question - link between bypass sigs and DPDK prefilters. Well, the point is to offload the bypass functionality from Suricata to DPDK Prefilter. Suri and DPDK Prefilter are connected except packet queues also with a bypass channel. So anytime Suricata wants to bypass a flow, Suri tells DPDK Prefilter about the flow and the bypass can be caused either by a rule or internal Suricata setting - e.g. bypass encrypted traffic.
I am not sure what your usecase is but if you do IDS only then you may find DPDK Bonding as an alternative 21.7. DPDK — Suricata 8.0.0-dev documentation
Thank Lukas for the explaination.
I will try this out.
With dpdk pre-filter on tls traffic, can you filter on established flow, so that we still have the tls handshake reach Suricata rule engine ?
Yes, it works the same as with Suricata implementation - the difference is when Suricata issues the bypass, it is not only noted to Suricata flow table but it also forwarded to the DPDK Prefilter.