Hi, everyone.
Please help me about rule tuning

Environment

OS: Debian 12
Software: Suricata 7.0.6 (installed from Git)

Background

I want to find the security incident by using Suricata.
I tested Suricata which applied to only ET Pro rules.
ET Pro has about 70000 rules.
Suricata was able to handle 500Mbps of traffic without any drops or delays.

After that, I added some rules.
The rules I added were mainly for the following sids, and the total number of rules was about 30,000.
https://sidallocation.org/

I tested it by running 500Mbps of traffic for 1 hour.
Suricata dropped about 80% packets.

I rebuilt Suricata with --enable-profiling-rules and --enable-profiling and tested it by running 500Mbps of traffic for 10 minutes.
I got rule_perf.log but could not find the cause.

Question

I upload the logs. Please tell me how to tune the rules.

keyword_perf.log (6.6 KB)
prefilter_perf.log (8.1 KB)
rule_group_perf.log (1.6 KB)
rule_perf.log (25.3 KB)
stats.log (444.2 KB)
suricata.log (5.2 KB)

Can you please share more about the hardware setup (CPU, RAM, NIC…etc)?

Your suricata configuration (as it applies to the hardware) is also needed. Most interesting is the core assignments for CPU affinity (workers, etc).

Thank you for your reply.
But I resolved this problem.
Suricata dropped many packets with a certain rule file applied.
I disable it, Suricata can process 500Mbps traffic.

It is strange that such uncomplicated rules can have such a big impact.
But I have no time to waste on finding the cause.

If the rule isn’t proprietary or part of a paid-only subscription, it may benefit other members of the community if it was shared.

The Suricata developer community may also benefit if we had knowledge of a poorly performing rule.