When I was testing, I found that rules with packet keywords like dsize would perform mpm on every packet(MPMB_TCP_PKT_TC), which would cause serious packet loss. Why doesn’t Suricata default to not matching such rules, for example, through detect.yaml? If so, where is it?
I would like to ask, when conducting certain stress tests, should such rules not exist?
E: alert tcp any any → any any (msg:“test”; dsize:25; content:“xxx”;sid:1111;)
Or let me ask it another way, why does dsize need to be reversed after MPM hits? If the current packet length is obviously not within the dsize range, why run MPM? Why not group the rules containing dsize again, just like port.
Sorry to bother you again. Is the example I wrote above a rule with low performance? I still stubbornly believe that it will perform mpm on every packet, so the performance of such a rule is very low. Am I right?
I analyzed the code and found that when ‘mpm’ is changed to ‘auto’, it only works on rules without ‘content’. So my problem is still not solved. If there is ‘content+dsize’ in the rule, pattern matching will still be performed, and dsize prefilter will not be performed. Sir, do I understand correctly?
That is my current understanding as well. As Victor suggested it is odd and can be implementation imperfection. I would need to investigate the code more seriously but my current assumption is that Suricata either classifies the rule as IP-only and thus uses pkt feature prefilters or it is a full rule and thus uses MPM matching.