Long `HOME_NET` list leads to very slow startup times?

scottmudge · March 17, 2023, 5:01pm

Standard version 7.0.0-rc1 installation, mostly default config with EmergingThreats open ruleset installed via suricata-update.

When using the default HOME_NET set (maybe 2 or 3 entries), Suricata seems to take 3 seconds or so to startup and start processing the requested input.

However, if I add the 40 or so subnets which I would like to be considered ‘internal’, the startup time balloons to like 45 seconds, sometimes longer.

I’m assuming it has to do with parsing/compiling all of the rules (delay happens after SigAddressPrepareStage1 entry in suricata.log), but my main concern is if there is going to be a similar amount of overhead in the processing of the rules against the network traffic as well? Or is it only a cost at startup?

Is this kind of behavior expected? I noticed the same with v6.0.8 I believe as well.

IDSTower · March 17, 2023, 6:00pm

It should speed up the detection, especially if your rules use home_net variable extensively, since a big portion of the traffic will not be matched against.

scottmudge · March 17, 2023, 6:26pm

Good to know. So it’s more of an ‘upfront cost’ then with respect to startup time.

Is the slow startup with a long list of HOME_NET subnets a normal thing?

Jeff_Lucovsky · March 18, 2023, 1:13pm

Can you post your HOME_NET values here? Of course, redact sensitive information but give enough info so we can get the gist of it:
HOME_NET: [subnet1.x.y.z/16,...] or whatever you’re using?

Topic		Replies	Views
Suricata configuration with no actual "HOME NET"? Help community	4	265	February 25, 2024
$HOME_NET and multiple interfaces, plus deployment best practices Help	3	3555	June 27, 2020
Suricata config file question Help	1	345	April 4, 2021
Suricata with NFQUEUE as IPS - Slow network Help ips	2	488	June 16, 2021
Suricata and CPU, NIC choices Help	2	771	January 12, 2022

Long `HOME_NET` list leads to very slow startup times?

Related Topics