Hi,
I would like to know if Suricata can support port agnostic protocol detection at higher speeds like 100Gbps (100-300 Gbps).
Also does it use only packet level info to make detections or it needs to create flows for protocol detection ?
If it uses flows any estimated memory needed to cache flows ?
Hi, by port
are you referring to the protocol port or the physical port on your NIC?
Suricata can be used in high-speed deployments with appropriate
- Hardware resources, including NIC that can operate at the linerates
- Configurations
Hi, It is protocol port. I was checking this document 8.43. Differences From Snort — Suricata 7.0.2 documentation and found “In Suricata, protocol detection is port agnostic (in most cases)” .
So, I had a question that at higher speeds (100-300Gbps) can it still do port agnostic protocol detections ?
Protocol detection can always be port-agnostic at whatever speed. As Jeff mentioned it is really a question of how much processing power you have available and how fine-tuned your setup is.
With the speeds mentioned, you are getting into advanced setups, and running and deploying Suricata will not work out of the box.
Tuning Surricata should be ok for higher speed I am not expecting it work out of the box with default settings. I would like to know any limitations in protocol detections at higher speed.I do have access to hardware that can support higher line rates. If there are no limitations then it is fine. Thanks!
There’s nothing inherent of high speed deployments that will affect this.
Deploying Suricata on hardware capable of providing 100Gbps+ network packets to a system’s memory is possible with effort. @pevma has discussed many of the configuration steps in https://raw.githubusercontent.com/pevma/SEPTun-Mark-II/master/SEPTun-Mark-II.pdf
Suricata’s inspection capabilities will work, even at these speeds. Suricata cannot overcome packet loss so it’s important to choose hardware appropriate for the deployment and then scale your Suricata deployment.