Rule profiling not working

dinnershow1 · May 25, 2021, 7:53am

I try to profile rules but I couldn’t find a file named rule_perf.log is result of rule profiling. I’m using Napatech card and would like to profile the rules in realtime traffic. Could I have tried the wrong way?

suricata.log(after suricata on)

{“timestamp”:“2021-05-25T16:41:03.051035+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:“Registered 2023 rule profiling counters.”}}

suricata.yaml

profiling:
rules:
enabled: yes
filename: rule_perf.log
sort: avgticks
append: yes
limit: 100
json: yes

build info

This is Suricata version 6.0.2 RELEASE
Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON PROFILING PROFILE_LOCKING TLS TLS_C11 MAGIC RUST
…
Profiling enabled: yes
Profiling locks enabled: yes
…

Jeff_Lucovsky · May 25, 2021, 12:13pm

Rule profiling will place it’s output in the same directory as the logging. The configuration setting default-log-dir shows this: suricata --dump-config | grep default-log-dir

dinnershow1 · May 26, 2021, 3:39am

@Jeff_Lucovsky
Yes, I found the file. The reason I couldn’t find it was that I started suricata around 5pm and the file was created around 9pm. However, nothing is written in the file. Could you please tell me why?

dinnershow1 · June 4, 2021, 1:37pm

@Jeff_Lucovsky
After configuring suricata for testing and using only 1 core, I started the process. After that, it found that the profiling file is created when exiting through SIGINT.

The actual environment is a multi-core environment, but when I try to terminate a process with SIGINT, a process is not terminated. So the profiling file is not created either.

How can I terminate suricata to get the profiling file?

Jeff_Lucovsky · June 5, 2021, 12:04pm

Hi,

How are you starting Suricata – using systemd or equivalent – or via the command line?

I understand you’re using Suricata 6.0.2 with Napatech.

dinnershow1 · June 5, 2021, 1:32pm

@Jeff_Lucovsky
Hi,
I started suricata via commandline.

/home/xxx/suri/sensor/bin/suricata -c /home/xxx/suri/conf.d/suricata.yaml --napatech

Jeff_Lucovsky · June 7, 2021, 1:45pm

Hi,
I’m not able to replicate the issue on a Suricata 6.0.2 system with a Napatech NIC.

Both SIGTERM and SIGINT were received immediately by Suricata followed by the shutdown sequence.

You state that SIGINT causes Suricata to stop with 1 core but not with multiple cores.

How many Napatech streams are you using? Which card? Which Napatech software version?

dinnershow1 · June 9, 2021, 4:48am

@Jeff_Lucovsky
using 64streams, NT40E3-4-PTP and ntinfo (v. 3.18.0.34-faf32)

I found that the remaining child process is terminated normally after a lot of time has elapsed.

Currently, about 20,000 alert rules are being used, and I found that keyword profiling is displayed normally, but rule profiling is not displayed.

I expected that I used too many alert rules and was using in the large traffic environment of 10-20 Gb/s is a reason that the profiling was not working, So I tried the limit and sapmple-rate options. But it didn’t work.

Can I try increasing the limit or sample-rate further? Or are there other settings to consider?

rule profiling settings
suricata.log

image1342×114 2.82 KB
rule profiling

image1061×366 1.33 KB
keyword profiling

image1038×619 11.5 KB

Jeff_Lucovsky · June 12, 2021, 2:21pm

The sample-rate limits how often profiling is performed – a value of 100,000 means that sampling will occur after 100,000 packets are received and so on. Depending on your traffic rates and other deployment considerations (eg ruleset details), this may be too coarse. Suggest using the default value here – 1000.

dinnershow1 · June 13, 2021, 8:22am

Even if the sample-rate is set to 100, 1000, 10000…, the rule profile is not displayed normally. Currently, 0.25 billion packets are generated per second, and it is not displayed even if the sample-rate is increased to 100 billion.

Jeff_Lucovsky · June 13, 2021, 3:31pm

Can you try an experiment?

Using the same Suricata configuration file, use rule profiling with the default sample-rate with a pcap file.

suricata -c /path/to/configuration-file -r /path/to/pcap-file

Let’s see if there’s something more fundamental going on by using a reduced scope example.

dinnershow1 · June 14, 2021, 4:18am

I tested using a single session dump file of about 17Mb. The rule profile and the keyword profile did not occur. When the sample-rate was set to 1000, no files were created either when commented out.

When checking suricata.log, it was possible to check as follows.

{“timestamp”:“2021-06-14T12:42:12.467216+0900”,“log_level”:“Error”,“event_type”:“engine”,“engine”:{“error_code”:187,“error”: “SC_ERR_RUNMODE”,“message”:“The custom type "workers" doesn’t exist for this runmode type "PCAP_FILE". Please use --list-runmodes to see available custom types for this runmode”}}

So, I tested with runmode as single, but the file was still not created. The log generated at this time is as follows.

{“timestamp”:“2021-06-14T13:15:22.869447+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:“0 new flows, 0 established flows were timed out, 0 flows in closed state”}}
{“timestamp”:“2021-06-14T13:15:22.869525+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:“0 new flows, 0 established flows were timed out, 0 flows in closed state”}}
{“timestamp”:“2021-06-14T13:15:23.207757+0900”,“log_level”:“Info”,“event_type”:“engine”,“engine”:{“message”:“time elapsed 17.482s” }}
{“timestamp”:“2021-06-14T13:15:23.535419+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:“2 flows processed”} }
{“timestamp”:“2021-06-14T13:15:23.535490+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:“28 flows processed”} }
{“timestamp”:“2021-06-14T13:15:23.535511+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:“0 flows processed”} }
{“timestamp”:“2021-06-14T13:15:23.535567+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:“13 flows processed”} }
{“timestamp”:“2021-06-14T13:15:23.603954+0900”,“log_level”:“Notice”,“event_type”:“engine”,“engine”:{“message”:“Pcap-file module read 1 files, 385491 packets, 519718810 bytes”}}
{“timestamp”:“2021-06-14T13:15:23.630633+0900”,“log_level”:“Info”,“event_type”:“engine”,“engine”:{“message”:“Alerts: 0”} }
{“timestamp”:“2021-06-14T13:15:24.490508+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:“ippair memory usage: 414144 bytes, maximum: 16777216”}}
{“timestamp”:“2021-06-14T13:15:31.102299+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:"Done dumping profiling data. "}}
{“timestamp”:“2021-06-14T13:15:31.102364+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:“host memory usage: 20307200 bytes, maximum: 1073741824”}}
{“timestamp”:“2021-06-14T13:15:31.149485+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:“Dumping profiling data for 20276 rules.”}}
{“timestamp”:“2021-06-14T13:15:31.156440+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:"Done dumping profiling data. "}}
{“timestamp”:“2021-06-14T13:15:31.156872+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:“Done dumping keyword profiling data .”}}
{“timestamp”:“2021-06-14T13:15:31.299257+0900”,“log_level”:“Info”,“event_type”:“engine”,“engine”:{“message”:“cleaning up signature grouping structure …complete”}}
{“timestamp”:“2021-06-14T13:15:31.306878+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:"Cleaning up Hyperscan global scratch "}}
{“timestamp”:“2021-06-14T13:15:31.306920+0900”,“log_level”:“Perf”,“event_type”:“engine”,“engine”:{“message”:“Clearing Hyperscan database cache” }}

Jeff_Lucovsky · June 14, 2021, 11:42am

This doesn’t match what I’d expect.

Can you provide the exact command line you used to process the pcap files?
Can you upload the suricata configuration file you’re using?

dinnershow1 · June 15, 2021, 7:45am

Sensitive information is partially corrected and delivered.
And by suricata1.yaml, the runmode is workers, but in the second attempt above, I changed the runmode to single and operated it.
I also tried setting the sample rate to 1000 and commented it out.

command line
./sensor/bin/suricata -c ./suricata1.yaml -r ./test.pcap

suricata1.yaml (10.2 KB)

pevma · June 15, 2021, 1:09pm

I think you need to have relevant rules hitting in order to get those stats in rule_perf.log going.
For example if you run against a pcap that has some relevant traffic you should get the log populated - i just did small run on latest master

Jeff_Lucovsky · June 15, 2021, 10:40pm

Additionally, if you add --runmode=autofp to the command line i listed the other day, you’ll get rule profiling information (if, as @pevma states, there are packets that match the rules you’re using)

dinnershow1 · June 16, 2021, 6:31am

@Jeff_Lucovsky @pevma
Does the rule_profiling function only work in autofp runmode?

Jeff_Lucovsky · June 16, 2021, 11:20am

Rule profiling is orthogonal from the runmode … they’re not directly related.

autofp is needed when reading from a pcap file.

suricata --list-runmodes displays the runmodes available for each packet source (pcap, af_packet, …). When using pcap files, runmode must be single or autofp

Topic		Replies	Views
Rule profiling functionality Help	1	1333	September 19, 2020
Rule Performance Profiling Rules rules	4	1050	December 15, 2021
Analysis of the rule_perf.log log file	1	146	February 28, 2024
Suricata is not running after 260k loaded rules Help suricata	6	408	January 18, 2023
Suricata Rule Tuning Help rules , suricata	4	63	August 19, 2024

Rule profiling not working

Related Topics