Rule Performance Profiling

I have Suricata built with --enable-profiling and am getting results in rule_perf.log. However, the results are only for signatures that are matching.

To debug this, I made two dummy rules to run against a PCAP with only HTTP GET Requests.

alert http any any -> any any (sid:1; msg:"test"; flow:established,to_server; http.method; content:"GET";)
alert http any any -> any any (sid:2; msg:"test"; flow:established,to_server; http.method; content:"POST";)

I would expect these rules to be processed in pretty much the same way. When I go to rule_perf.log, I only see

  Date: 12/13/2021 -- 18:10:32. Sorted by: max ticks.
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        1            1        0        148198       100.00 5        5        102360      29639.60    29639.60    0.00       

Is this expected/normal? And if so, is there a way to show performance stats for non-matching signatures? In my real use-case, I am trying to calculate performance cost for pcre sigs.

My conf for the profiling section looks like:

  # Run profiling for every xth packet. The default is 1, which means we
  # profile every packet. If set to 1000, one packet is profiled for every
  # 1000 received.
  #sample-rate: 1000

  # rule profiling

    # Profiling can be disabled here, but it will still have a
    # performance impact if compiled in.
    enabled: yes
    filename: rule_perf.log
    append: no

    # Sort options: ticks, avgticks, checks, matches, maxticks
    # If commented out all the sort options will be used.
    sort: maxticks

    # Limit the number of sids for which stats are shown at exit (per sort).
    # limit: 20

    # output to json
    json: no

Hi Michael,

From the documentation (9.9. Rule Profiling ā€” Suricata 7.0.0-dev documentation) I would have expected, as you said, to see both rules listed.

Can you share the pcap, so I can run it locally and see what results do I get?

Just in case, what Suricata version are you running?

Thanks! :slight_smile:

This looks like it works as expected. The rule looking for the POST is not evaluated as the prefilter stage decides its not possible for it to match on the GET requests.

1 Like

@jufajardini Looks like I pulled down 6.0.5-dev. Here is a similar pcap, in case you still want it. This returns 3 hits on SID:1 and nothing on SID:2.
file_transfer_yara_test-modified.pcap (11.8 KB)

@vjulien Thanks, that makes sense ā€“ rule profiling occurs only after MPM, if Iā€™m reading this section correctly.

1 Like

Thanks Michael! But Iā€™m guessing that you already have your answer, now. :wink:

And yes, your understanding of the MPM sounds correct, on that regard.