Suricata Rule Tuning

Hi, everyone.
Please help me about rule tuning

Environment

OS: Debian 12
Software: Suricata 7.0.6 (installed from Git)

Background

I want to find the security incident by using Suricata.
I tested Suricata which applied to only ET Pro rules.
ET Pro has about 70000 rules.
Suricata was able to handle 500Mbps of traffic without any drops or delays.

After that, I added some rules.
The rules I added were mainly for the following sids, and the total number of rules was about 30,000.
https://sidallocation.org/

I tested it by running 500Mbps of traffic for 1 hour.
Suricata dropped about 80% packets.

I rebuilt Suricata with --enable-profiling-rules and --enable-profiling and tested it by running 500Mbps of traffic for 10 minutes.
I got rule_perf.log but could not find the cause.

Question

I upload the logs. Please tell me how to tune the rules.

keyword_perf.log (6.6 KB)
prefilter_perf.log (8.1 KB)
rule_group_perf.log (1.6 KB)
rule_perf.log (25.3 KB)
stats.log (444.2 KB)
suricata.log (5.2 KB)

Can you please share more about the hardware setup (CPU, RAM, NIC…etc)?

1 Like

Your suricata configuration (as it applies to the hardware) is also needed. Most interesting is the core assignments for CPU affinity (workers, etc).

1 Like

Thank you for your reply.
But I resolved this problem.
Suricata dropped many packets with a certain rule file applied.
I disable it, Suricata can process 500Mbps traffic.

It is strange that such uncomplicated rules can have such a big impact.
But I have no time to waste on finding the cause.

If the rule isn’t proprietary or part of a paid-only subscription, it may benefit other members of the community if it was shared.

The Suricata developer community may also benefit if we had knowledge of a poorly performing rule.