Accelerating Suricata with DPDK

DPDK, Suricata, IDS, IPS, network detection, intrusion detection system, intrusion prevention system, Data Plane Development Kit

Suricata is used in the cybersecurity field to reveal possible intrusions into the supervised environment by monitoring and inspecting live network traffic. However, with large and complex detection rulesets, even multi-threaded Suricata can be overloaded with increasing network traffic. To combat the problem, Suricata has introduced the DPDK capture interface with the aim to improve network throughput and latency. Results presented in a talk by Lukas Sismis on Suricon 2021 show an increase in network throughput by 16%. The talk also presented DPDK Prefilters. These are programs placed in front of Suricata with the purpose of increasing Suricata performance by reducing the amount of network traffic passed to Suricata or by inserting additional pre-computed information inside the packets. DPDK Prefilters ensures that Suricata has a vendor-independent API and at the same time NIC manufacturers can implement asynchronous bypass and metadata injectors to fully use features of their NICs without complicated integration with Suricata. The presentation covers an overview of the DPDK state in Suricata and an in-depth explanation of DPDK Prefilters along with its first preliminary results.