Tuning Suricata Intrusion Detection System for High Performance on a Single Non-Uniform Memory Access Node

Abstract

The rapid increase in network capacity poses a challenge in detecting cyber attacks. Suricata is a modern intrusion detection system(IDS) used to monitor network traffic to detect cyberattacks. Telenor is monitoring considerable amounts of network traffic with IDS-servers, commonly referred to as sensors. Occasionally, the traffic load reaches a point where theIDS drops some of the incoming packets, termed packet loss. This is a serious problem, asit can lead to undetected threats. With this in mind, Telenor wants to find out if a lossless detection can be achieved by tuning Suricata for high performance. This can be accomplished by pinning dedicated CPUs to Suricata and by optimizing the process from when the packets arrive at the sensor until they have been processed by Suricata. Additionally, anon-uniform memory access (NUMA) topology will be employed to reduce data latency. NUMA is a memory architecture where the processing units are divided into two NUMA nodes with their own local memory attached. By using the NUMA node where the packets arrive, Suricata should in theory operate more efficiently. The Suricata performance is affected by several factors, such as the hardware capability and capacity, BIOS settings, and the traffic type. The sensors also run other critical processes on the same NUMA node. An additional goal is therefore to limit the processing power reserved for Suricata.