Need some help to define an if statement in snort3's Makefile

@efahl @xxxx @flyn

I created PR#23904 to add Vectorscan which does an amazing job with snort3 throughput as tested on my flogic/glinet_gl-mt6000. With vectorscan compiled into snort3, my d/l throughput increased by 3-4x.

Download speed wo/ using vectorscan: 90-110 Mbit/s (n=3)
Download speed using vectorscan: 340-357 Mbit/s (n=3)

Naturally, I want to modify the snort3 package to leverage it. What is the right syntax for this if statement in order to query multiple targets? I don't want to define them one-by-one. My commented line below does not work.

#ifdef CONFIG_TARGET_mediatek_filogic||CONFIG_TARGET_bcm27xx_bcm2711||CONFIG_TARGET_bcm27xx_bcm2712
ifdef CONFIG_TARGET_mediatek_filogic
        CMAKE_OPTIONS += -DHS_INCLUDE_DIRS=$(STAGING_DIR)/usr/include/hs

I'm pretty sure make's ifdef only takes a single argument, no way to do expressions with multiple choices. Is there a single "platform" config var that will cover those, something like CONFIG_aarch64??? (I found that in feeds/packages/utils/oci-runtime-tools/Makefile)

Does DEPENDS:=@aarch64 cover the indented devices? According to their readme:

ARM NEON/ASIMD and Power VSX and 100% supported

Hmm, maybe? Looking at they reference aarch64 a couple of times and it looks like it might work for a bunch of variants (beware, I know next to nothing about ARM variants).

I changed it to aarch64... let's see what the reviewers have to say. The benefits for these little CPUs are pretty amazing. 2-4x depending. From my commit message:

The performance difference of snort3 compiled against this is sizable.

Test SoC #1 flogic/glinet_gl-mt6000

In IDS mode:
Download speed wo/ vectorscan: 91.2 ±0.21 Mbit/s (n=3)
Download speed using vectorscan: 331.0 ±27.34 Mbit/s (n=3)
Gain of 3.6x

In IPS mode:
Download speed wo/ vectorscan: 30.0 ±0.06 Mbit/s (n=3)
Download speed using vectorscan: 52.9 ±0.78 Mbit/s (n=3)
Gain of 1.8x

* Data generated on snapshot build on 12-Apr-2024 using kernel version 6.6.26,
  snort version, vectorscan version 5.4.11.
* Speedtest script hitting the same server.
* Snort rules file of was 37,917 lines/22 MB.
* In all cases, single core CPU saturation occurred which speaks to the efficiency
  gains supplied by vectorscan.

Test Soc 2 bcm2712/RPi5B
IDS mode:
Using iperf3 to send wo/ vectorscan: 515 Mbits/sec
Using iperf3 to send using vectorscan: 934 Mbits/sec
Gain of >1.8x (934 Mbits/sec is the theoretical max)

IPS mode:
Using iperf3 to send wo/ vectorscan: 259 Mbits/sec
Using iperf3 to send using vectorscan: 934 Mbits/sec
Gain of >3.7x (934 Mbits/sec is the theoretical max)

That's pretty amazing.

Why do the values from IDS to IPS mode differ so greatly? The throughput should actually be similar.

Cannot explain why IDS and IPS are different. I edited my post above adding RPi5B test with iperf3

I assume you are using Pcap mode for IDS and NFQ mode for IPS, right? That could explain the difference, the problem is we don't know if in Pcap IDS mode Snort is checking all packets and not dropping packets because the cpu can't keep up. This would not have a big impact on the data flow because Snort is only a viewer, but it would jeopardize security because Snort could miss attacks in the data stream. For this reason, it might be better to test in IPS mode in general, because it waits for the verdict statement from Snort and if Snort is not fast enough, the bandwidth is limited.
The Iperf values look good, wouldn't have thought that the Arm processors would achieve so much.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.