The performance overhead of pkt-rules is high

When I was testing, I found that rules with packet keywords like dsize would perform mpm on every packet(MPMB_TCP_PKT_TC), which would cause serious packet loss. Why doesn’t Suricata default to not matching such rules, for example, through detect.yaml? If so, where is it?

I would like to ask, when conducting certain stress tests, should such rules not exist?

E: alert tcp any any → any any (msg:“test”; dsize:25; content:“xxx”;sid:1111;)

somebody can help me?

Or let me ask it another way, why does dsize need to be reversed after MPM hits? If the current packet length is obviously not within the dsize range, why run MPM? Why not group the rules containing dsize again, just like port.

Suricata has been built to support pattern heavy rulesets and prefers to use patterns before other conditions. In cases like this that is a bit odd.

Thank you sir, Maybe I can improve the new build performance in other ways

Sorry to bother you again. Is the example I wrote above a rule with low performance? I still stubbornly believe that it will perform mpm on every packet, so the performance of such a rule is very low. Am I right?

Can you try to change your suricata.yaml config property detect.prefilter.default from mpm to auto?

dsize as a rule option should act as a prefilter as well, at least based on the code.

sigmatch_table[DETECT_DSIZE].SupportsPrefilter = PrefilterDsizeIsPrefilterable;
sigmatch_table[DETECT_DSIZE].SetupPrefilter = PrefilterSetupDsize;

Thank you very much, your answer solved my question.

I analyzed the code and found that when ‘mpm’ is changed to ‘auto’, it only works on rules without ‘content’. So my problem is still not solved. If there is ‘content+dsize’ in the rule, pattern matching will still be performed, and dsize prefilter will not be performed. Sir, do I understand correctly?

That is my current understanding as well. As Victor suggested it is odd and can be implementation imperfection. I would need to investigate the code more seriously but my current assumption is that Suricata either classifies the rule as IP-only and thus uses pkt feature prefilters or it is a full rule and thus uses MPM matching.

Thank you for your careful consideration. I believe it should be the latter. Such rules still consume a lot of performance.