I would like to profile my list of Suricata rules using a single PCAP file to know the estimated cost of running each rule when there is a packet match in the future. The PCAP file may not have the traffic that hit on all rules, and some rules would be dropped during the prefilter stage. I would not want to change the PCAP file to hit on all rules as I do have like 1000 rules.
How can I configure Suricata to profile ALL rules, or if that is not possible, how can I do a minimal change of the source code to skip the prefilter stage so all rules go through the evaluation stage for profiling?
I would like to correct your view of the prefilters - they don’t drop rules from the evaluation, but rather they add rules to evaluate. So each packet/stream evaluation starts with no rules to evaluate, and if certain prefilters match, then the prefilters add the specific rules to fully evaluate. (See e.g. the function PrefilterAddSids(&det_ctx->pmq, ctx->sigs_array, ctx->sigs_cnt); which adds signatures in the specific prefilter context if the prefitler matches to the Pattern Matcher Queue (PMQ) array.
The prefilter doesn’t necessarily need to be fast_pattern, it may be more specific to e.g. IP header to minimize the cost of the redundant prefilter.
At least that would be my first direction to explore.
But I don’t think that prefilter skipping would help you to evaluate the full ruleset cost. Prefilters are an important part of the rules and should be considered in the evaluation. Even if you drop the prefilters, an evaluation of a rule with e.g. many content matches will be short-circuited on the first content match that is not found.