Monday, September 21, 2020

Improve Snort 3 performance with Hyperscan

By Steve Chew. 

Snort 3 includes native support for Hyperscan pattern matching.  Hyperscan is an open-source, high-performance, regular expression-matching library from Intel that runs on x86 platforms. It supports a large subset of the PCRE syntax and takes advantage of the Intel SIMD instructions. However, it is not yet available for ARM processors. 

Hyperscan provides a significant boost for Snort 3's IPS fast pattern matching when compared to the other available search engines. Hyperscan is up to two times faster than the ac_full engine and three times faster than ac_bfna. Snort 3 will see the most benefit from Hyperscan when using a large ruleset and when doing deep flow inspection.

In addition to using Hyperscan for IPS, Snort 3 can also use it to assist application identification and HTTP inspection. To configure Hyperscan, add this to the Snort 3 Lua configuration: 

search_engine = { search_method = "hyperscan" } 

Hyperscan can also be used for literal content searches during signature evaluation. This feature is turned off by default since it can slow down the startup process. Snort 3 also has a pcre_to_regex option that will use Hyperscan instead of pcre for compatible pcre rule option expressions. It takes more time at start up but is generally faster at run time. To enable these options, simply set the detection.hyperscan_literals and detection.pcre_to_regex options to true in the Snort 3 Lua configuration: 

detection = { hyperscan_literals = true, pcre_to_regex = true } 

Hyperscan can be built from source starting here.  

Or it can be installed via packages on several Linux distributions: 

# apt install libhyperscan-dev 

# dnf install hyperscan-devel 

# pacman -S hyperscan 

If you want to run your own performance tests, clone the snort3_demo repository and look at the perf/README.adoc file. 

For more on Snort 3: