When I was testing, I found that rules with packet keywords like dsize would perform mpm on every packet(MPMB_TCP_PKT_TC), which would cause serious packet loss. Why doesn’t Suricata default to not matching such rules, for example, through detect.yaml? If so, where is it?
I would like to ask, when conducting certain stress tests, should such rules not exist?
E: alert tcp any any → any any (msg:“test”; dsize:25; content:“xxx”;sid:1111;)
somebody can help me?
Or let me ask it another way, why does dsize need to be reversed after MPM hits? If the current packet length is obviously not within the dsize range, why run MPM? Why not group the rules containing dsize again, just like port.
Suricata has been built to support pattern heavy rulesets and prefers to use patterns before other conditions. In cases like this that is a bit odd.
Thank you sir, Maybe I can improve the new build performance in other ways
Sorry to bother you again. Is the example I wrote above a rule with low performance? I still stubbornly believe that it will perform mpm on every packet, so the performance of such a rule is very low. Am I right?
Can you try to change your suricata.yaml config property detect.prefilter.default from mpm to auto?
dsize as a rule option should act as a prefilter as well, at least based on the code.
sigmatch_table[DETECT_DSIZE].SupportsPrefilter = PrefilterDsizeIsPrefilterable;
sigmatch_table[DETECT_DSIZE].SetupPrefilter = PrefilterSetupDsize;