I have Suricata built with --enable-profiling and am getting results in rule_perf.log. However, the results are only for signatures that are matching.
To debug this, I made two dummy rules to run against a PCAP with only HTTP GET Requests.
alert http any any -> any any (sid:1; msg:"test"; flow:established,to_server; http.method; content:"GET";)
alert http any any -> any any (sid:2; msg:"test"; flow:established,to_server; http.method; content:"POST";)
I would expect these rules to be processed in pretty much the same way. When I go to rule_perf.log, I only see
Date: 12/13/2021 -- 18:10:32. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 1 1 0 148198 100.00 5 5 102360 29639.60 29639.60 0.00
Is this expected/normal? And if so, is there a way to show performance stats for non-matching signatures? In my real use-case, I am trying to calculate performance cost for pcre sigs.
My conf for the profiling section looks like:
profiling:
# Run profiling for every xth packet. The default is 1, which means we
# profile every packet. If set to 1000, one packet is profiled for every
# 1000 received.
#sample-rate: 1000
# rule profiling
rules:
# Profiling can be disabled here, but it will still have a
# performance impact if compiled in.
enabled: yes
filename: rule_perf.log
append: no
# Sort options: ticks, avgticks, checks, matches, maxticks
# If commented out all the sort options will be used.
sort: maxticks
# Limit the number of sids for which stats are shown at exit (per sort).
# limit: 20
# output to json
json: no
