Hi,
I have tried profiling a rule with a flowbit that never gets set.
This rule has some bad and generic content matches so there are no good fits for the MPM.
I can see the rule getting a lot of checks during profiling.
I assumed that checking if flowbits for a rule was set would somehow happen before content matching but it seems that is not the case.
I also have quite a big difference between the ticks_avg (18208) and ticks_max (265992).
The rule has a pcre that could explain the ticks_max.
I guess I want to know if someone could clarify the processing order of:
- MPM content
- other content
- pcre
- flowbits:isset