Rule Performance Profiling

logoyda · December 14, 2021, 1:14am

I have Suricata built with --enable-profiling and am getting results in rule_perf.log. However, the results are only for signatures that are matching.

To debug this, I made two dummy rules to run against a PCAP with only HTTP GET Requests.

alert http any any -> any any (sid:1; msg:"test"; flow:established,to_server; http.method; content:"GET";)
alert http any any -> any any (sid:2; msg:"test"; flow:established,to_server; http.method; content:"POST";)

I would expect these rules to be processed in pretty much the same way. When I go to rule_perf.log, I only see

  Date: 12/13/2021 -- 18:10:32. Sorted by: max ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        1            1        0        148198       100.00 5        5        102360      29639.60    29639.60    0.00

Is this expected/normal? And if so, is there a way to show performance stats for non-matching signatures? In my real use-case, I am trying to calculate performance cost for pcre sigs.

My conf for the profiling section looks like:

profiling:
  # Run profiling for every xth packet. The default is 1, which means we
  # profile every packet. If set to 1000, one packet is profiled for every
  # 1000 received.
  #sample-rate: 1000

  # rule profiling
  rules:

    # Profiling can be disabled here, but it will still have a
    # performance impact if compiled in.
    enabled: yes
    filename: rule_perf.log
    append: no

    # Sort options: ticks, avgticks, checks, matches, maxticks
    # If commented out all the sort options will be used.
    sort: maxticks

    # Limit the number of sids for which stats are shown at exit (per sort).
    # limit: 20

    # output to json
    json: no

jufajardini · December 14, 2021, 10:24am

Hi Michael,

From the documentation (9.9. Rule Profiling — Suricata 7.0.0-dev documentation) I would have expected, as you said, to see both rules listed.

Can you share the pcap, so I can run it locally and see what results do I get?

Just in case, what Suricata version are you running?

Thanks!

vjulien · December 14, 2021, 11:21am

This looks like it works as expected. The rule looking for the POST is not evaluated as the prefilter stage decides its not possible for it to match on the GET requests.

logoyda · December 14, 2021, 10:32pm

@jufajardini Looks like I pulled down 6.0.5-dev. Here is a similar pcap, in case you still want it. This returns 3 hits on SID:1 and nothing on SID:2.
file_transfer_yara_test-modified.pcap (11.8 KB)

@vjulien Thanks, that makes sense – rule profiling occurs only after MPM, if I’m reading this section correctly.

jufajardini · December 15, 2021, 10:03am

Thanks Michael! But I’m guessing that you already have your answer, now.

And yes, your understanding of the MPM sounds correct, on that regard.

Topic		Replies	Views
Some match bypass? Rules rules	27	1743	September 17, 2021
Weird result when comparing Suricata detections with snort (using same traffic) - what am I missing? Help	4	776	December 13, 2021
HTTP rule does not detect http.uri after a certain time Help rules , suricata	1	143	February 28, 2024
Performance highly dependent on flow:established Rules	3	1210	July 23, 2021
Suricata not trigger Alert via file Pcap record from Wireshark Help	5	651	June 8, 2023

Rule Performance Profiling

Related Topics