Disabling http analysis


The environment I use suricata has a lot of http traffic.
So, it is judged that there is a problem with performance.
If I turn off http analysis, I want to know what side effects there will be.
(app-layer> http> enabled: no)

For example, can’t I use http-related options in snort rules?
(eg: http_method, http_uri…)
I wonder what other influences will be.


It will mean that all the rules that use alert http ... or any http_* rule keyword will be ineffective. It will also disable file extraction for http. I would recommend looking at improving performance in other ways, like more tuning, using better hardware, etc.

Hi, Victor

In my case, Suricata operates in about 20Gbps environment. Kernel drop occurs when the http analysis option is enabled. It seems to be affecting the performance a lot. Are there any options that may create a load during the settings below?


enabled: yes
personality: IDS

       request-body-limit: 100kb
       response-body-limit: 100kb

       request-body-minimal-inspect-size: 32kb
       request-body-inspect-window: 4kb
       response-body-minimal-inspect-size: 40kb
       response-body-inspect-window: 16kb

       response-body-decompress-layer-limit: 2
       http-body-inline: auto

         enabled: yes
         type: both
         compress-depth: 0
         decompress-depth: 0

       # decoding
       double-decode-path: no
       double-decode-query: no