dcerpc-perf-accuracy.txt - Suricata - Open Information Security Foundation

Bug #5135 » dcerpc-perf-accuracy.txt

Peter Manev, 02/19/2022 02:54 PM

       pevma@DonPedros ~/Work/Suricata/suricomp $ sudo rm logs/* ; time sudo /opt/suritest-profiling/bin/suricata -S test-rules/perf-dcerpc.rules -l logs/ -k none -r /home/pevma/Downloads/test-dce-iface.pcapng  --runmode=single  ; cat logs/eve.json | perl -ne 'print "$1\n" if /\"event_type\":\"(.*?)\"/' | sort | uniq -c ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ; cat logs/rule_perf.log  ;
       rm: cannot remove 'logs/filestore': Is a directory
       [555186] 12/2/2022 -- 15:46:30 - (conf-yaml-loader.c:313) <Info> (ConfYamlParse) -- Configuration node 'DC_SERVERS' redefined.
       [555186] 12/2/2022 -- 15:46:30 - (suricata.c:1137) <Notice> (LogVersion) -- This is Suricata version 7.0.0-dev (b5166bdb9 2022-02-10) running in USER mode
       [555186] 12/2/2022 -- 15:46:30 - (tm-threads.c:2016) <Notice> (TmThreadWaitOnThreadInit) -- Threads created -> W: 1 FM: 1 FR: 1   Engine started.
       [555186] 12/2/2022 -- 15:46:30 - (suricata.c:2755) <Notice> (SuricataMainLoop) -- Signal Received.  Stopping engine.
       [555187] 12/2/2022 -- 15:46:30 - (source-pcap-file.c:384) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 17 packets, 2356 bytes
       real	0m0.146s
       user	0m0.005s
       sys	0m0.000s
 alert
 dcerpc
 flow
 stats
 "DCE Netlogon dcerpc.iface only"
 "DCE Netlogoni dcerp content only"
         --------------------------------------------------------------------------
         Date: 2/12/2022 -- 15:46:30. Sorted by: ticks.
         --------------------------------------------------------------------------
          Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
         -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
 666          1        0        32934        70.03  20       6        6078        1646.70     2915.17     1103.07
 888          1        0        8038         17.09  1        1        8038        8038.00     8038.00     0.00
 777          1        0        6057         12.88  2        0        3936        3028.50     0.00        3028.50
       pevma@DonPedros ~/Work/Suricata/suricomp $ cat test-rules/perf-dcerpc.rules
       alert dcerpc any any -> any any ( msg: "DCE Netlogon dcerpc.iface only"; flow: to_server, established; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 666; )
       alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp.iface with content added"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|"; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 777; )
       alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp content only"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|";  sid: 888; )
 .0.8
       $ sudo rm logs/* ; time sudo /opt/suritest508-profiling/bin/suricata -S test-rules/perf-dcerpc.rules -l logs/ -k none -r /home/pevma/Downloads/test-dce-iface.pcapng  --runmode=single  ; cat logs/eve.json | perl -ne 'print "$1\n" if /\"event_type\":\"(.*?)\"/' | sort | uniq -c ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ; cat logs/rule_perf.log  ;  cat test-rules/perf-dcerpc.rules
       rm: cannot remove 'logs/filestore': Is a directory
 /2/2022 -- 17:36:56 - <Notice> - This is Suricata version 5.0.8 RELEASE running in USER mode
 /2/2022 -- 17:36:56 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
 /2/2022 -- 17:36:56 - <Notice> - Signal Received.  Stopping engine.
 /2/2022 -- 17:36:56 - <Notice> - Pcap-file module read 1 files, 17 packets, 2356 bytes
       real	0m0.096s
       user	0m0.005s
       sys	0m0.000s
 alert
 flow
 stats
 "DCE Netlogoni dcerp.iface with content added"
 "DCE Netlogoni dcerp content only"
 "DCE Netlogon dcerpc.iface only"
         --------------------------------------------------------------------------
         Date: 2/12/2022 -- 17:36:56. Sorted by: ticks.
         --------------------------------------------------------------------------
          Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
         -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
 666          1        0        14432        44.97  9        1        10713       1603.56     1852.00     1572.50
 888          1        0        9912         30.88  1        1        9912        9912.00     9912.00     0.00
 777          1        0        7752         24.15  2        1        7361        3876.00     7361.00     391.00
       alert dcerpc any any -> any any ( msg: "DCE Netlogon dcerpc.iface only"; flow: to_server, established; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 666; )
       alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp.iface with content added"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|"; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 777; )
       alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp content only"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|";  sid: 888; )
 .0.4
       $ sudo rm logs/* ; time sudo /opt/suritest604-profiling/bin/suricata -S test-rules/perf-dcerpc.rules -l logs/ -k none -r /home/pevma/Downloads/test-dce-iface.pcapng  --runmode=single  ; cat logs/eve.json | perl -ne 'print "$1\n" if /\"event_type\":\"(.*?)\"/' | sort | uniq -c ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ; cat logs/rule_perf.log  ;  cat test-rules/perf-dcerpc.rules
       rm: cannot remove 'logs/filestore': Is a directory
 /2/2022 -- 17:37:17 - <Notice> - This is Suricata version 6.0.4 RELEASE running in USER mode
 /2/2022 -- 17:37:17 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
 /2/2022 -- 17:37:17 - <Notice> - Signal Received.  Stopping engine.
 /2/2022 -- 17:37:17 - <Notice> - Pcap-file module read 1 files, 17 packets, 2356 bytes
       real	0m0.100s
       user	0m0.004s
       sys	0m0.000s
 alert
 dcerpc
 flow
 stats
 "DCE Netlogoni dcerp content only"
 "DCE Netlogon dcerpc.iface only"
         --------------------------------------------------------------------------
         Date: 2/12/2022 -- 17:37:17. Sorted by: ticks.
         --------------------------------------------------------------------------
          Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
         -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
 666          1        0        41492        74.72  30       1        7695        1383.07     4106.00     1289.17
 888          1        0        9468         17.05  1        1        9468        9468.00     9468.00     0.00
 777          1        0        4571         8.23   2        0        4385        2285.50     0.00        2285.50
       alert dcerpc any any -> any any ( msg: "DCE Netlogon dcerpc.iface only"; flow: to_server, established; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 666; )
       alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp.iface with content added"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|"; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 777; )
       alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp content only"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|";  sid: 888; )

(1-1/1)

Project

General

Profile

Suricata

Bug #5135 » dcerpc-perf-accuracy.txt