Hi, everyone.
Please help me about rule tuning
Environment
OS: Debian 12
Software: Suricata 7.0.6 (installed from Git)
Background
I want to find the security incident by using Suricata.
I tested Suricata which applied to only ET Pro rules.
ET Pro has about 70000 rules.
Suricata was able to handle 500Mbps of traffic without any drops or delays.
After that, I added some rules.
The rules I added were mainly for the following sids, and the total number of rules was about 30,000.
https://sidallocation.org/
I tested it by running 500Mbps of traffic for 1 hour.
Suricata dropped about 80% packets.
I rebuilt Suricata with --enable-profiling-rules and --enable-profiling and tested it by running 500Mbps of traffic for 10 minutes.
I got rule_perf.log but could not find the cause.
Question
I upload the logs. Please tell me how to tune the rules.
keyword_perf.log (6.6 KB)
prefilter_perf.log (8.1 KB)
rule_group_perf.log (1.6 KB)
rule_perf.log (25.3 KB)
stats.log (444.2 KB)
suricata.log (5.2 KB)