Accelerating Snort, Bro and Suricata with PF_RING ZC

Posted · Add Comment

Over the past few months we have spent quite some time to accelerate popular open-source IDS/IPS with PF_RING ZC. The result is that you now have the option to select your favourite security product as we support all, at no cost, using PF_RING ZC in both IDS and IPS mode. From our benchmarks we have seen that the acceleration with respect to vanilla Linux AF_PACKET is good even using  standard (non ZC) PF_RING. We will provide some test results in the near future, but in the meantime we invite you to test it yourself.

  • Snort
    The code for the PF_RING ZC-aware DAQ module can be found in the PF_RING GIT repository or part of our binary PF_RING packages.
  • Suricata
    We have contributed to the PF_RING support in Suricata and the current code includes our patches: the next stable release will include them. We have revamped PF_RING support updating the existing code adding:

    • Support for IPS/TAP (IDS was already supported since day 1).
    • Support of peering interfaces including sending traffic to it.

    In essence you can now use Suricata in both IDS and IPS mode at high speed.

  • BRO
    Since the release 2.3, BRO includes native PF_RING ZC support and many companies (including Facebook) are using it already: you can be the next one!

It’s now time to update your favourite IDS/IPS with PF_RING ZC!