pevma@DonPedros ~/Work/Suricata/suricomp $ sudo rm logs/* ; time sudo /opt/suritest-profiling/bin/suricata -S test-rules/perf-dcerpc.rules -l logs/ -k none -r /home/pevma/Downloads/test-dce-iface.pcapng  --runmode=single  ; cat logs/eve.json | perl -ne 'print "$1\n" if /\"event_type\":\"(.*?)\"/' | sort | uniq -c ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ; cat logs/rule_perf.log  ;  
rm: cannot remove 'logs/filestore': Is a directory
[555186] 12/2/2022 -- 15:46:30 - (conf-yaml-loader.c:313) <Info> (ConfYamlParse) -- Configuration node 'DC_SERVERS' redefined.
[555186] 12/2/2022 -- 15:46:30 - (suricata.c:1137) <Notice> (LogVersion) -- This is Suricata version 7.0.0-dev (b5166bdb9 2022-02-10) running in USER mode
[555186] 12/2/2022 -- 15:46:30 - (tm-threads.c:2016) <Notice> (TmThreadWaitOnThreadInit) -- Threads created -> W: 1 FM: 1 FR: 1   Engine started.
[555186] 12/2/2022 -- 15:46:30 - (suricata.c:2755) <Notice> (SuricataMainLoop) -- Signal Received.  Stopping engine.
[555187] 12/2/2022 -- 15:46:30 - (source-pcap-file.c:384) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 1 files, 17 packets, 2356 bytes

real	0m0.146s
user	0m0.005s
sys	0m0.000s
      7 alert
      7 dcerpc
      1 flow
      1 stats
      6 "DCE Netlogon dcerpc.iface only"
      1 "DCE Netlogoni dcerp content only"
  --------------------------------------------------------------------------
  Date: 2/12/2022 -- 15:46:30. Sorted by: ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        666          1        0        32934        70.03  20       6        6078        1646.70     2915.17     1103.07    
  2        888          1        0        8038         17.09  1        1        8038        8038.00     8038.00     0.00       
  3        777          1        0        6057         12.88  2        0        3936        3028.50     0.00        3028.50    

pevma@DonPedros ~/Work/Suricata/suricomp $ cat test-rules/perf-dcerpc.rules
alert dcerpc any any -> any any ( msg: "DCE Netlogon dcerpc.iface only"; flow: to_server, established; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 666; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp.iface with content added"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|"; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 777; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp content only"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|";  sid: 888; )



5.0.8

$ sudo rm logs/* ; time sudo /opt/suritest508-profiling/bin/suricata -S test-rules/perf-dcerpc.rules -l logs/ -k none -r /home/pevma/Downloads/test-dce-iface.pcapng  --runmode=single  ; cat logs/eve.json | perl -ne 'print "$1\n" if /\"event_type\":\"(.*?)\"/' | sort | uniq -c ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ; cat logs/rule_perf.log  ;  cat test-rules/perf-dcerpc.rules  
rm: cannot remove 'logs/filestore': Is a directory

12/2/2022 -- 17:36:56 - <Notice> - This is Suricata version 5.0.8 RELEASE running in USER mode
12/2/2022 -- 17:36:56 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
12/2/2022 -- 17:36:56 - <Notice> - Signal Received.  Stopping engine.
12/2/2022 -- 17:36:56 - <Notice> - Pcap-file module read 1 files, 17 packets, 2356 bytes

real	0m0.096s
user	0m0.005s
sys	0m0.000s
      3 alert
      1 flow
      1 stats
      1 "DCE Netlogoni dcerp.iface with content added"
      1 "DCE Netlogoni dcerp content only"
      1 "DCE Netlogon dcerpc.iface only"
  --------------------------------------------------------------------------
  Date: 2/12/2022 -- 17:36:56. Sorted by: ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        666          1        0        14432        44.97  9        1        10713       1603.56     1852.00     1572.50    
  2        888          1        0        9912         30.88  1        1        9912        9912.00     9912.00     0.00       
  3        777          1        0        7752         24.15  2        1        7361        3876.00     7361.00     391.00     

alert dcerpc any any -> any any ( msg: "DCE Netlogon dcerpc.iface only"; flow: to_server, established; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 666; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp.iface with content added"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|"; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 777; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp content only"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|";  sid: 888; )



6.0.4

$ sudo rm logs/* ; time sudo /opt/suritest604-profiling/bin/suricata -S test-rules/perf-dcerpc.rules -l logs/ -k none -r /home/pevma/Downloads/test-dce-iface.pcapng  --runmode=single  ; cat logs/eve.json | perl -ne 'print "$1\n" if /\"event_type\":\"(.*?)\"/' | sort | uniq -c ; grep '"event_type":"alert"' logs/eve.json | jq .alert.signature | sort -rn | uniq -c | sort -rn ; cat logs/rule_perf.log  ;  cat test-rules/perf-dcerpc.rules  
rm: cannot remove 'logs/filestore': Is a directory
12/2/2022 -- 17:37:17 - <Notice> - This is Suricata version 6.0.4 RELEASE running in USER mode
12/2/2022 -- 17:37:17 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
12/2/2022 -- 17:37:17 - <Notice> - Signal Received.  Stopping engine.
12/2/2022 -- 17:37:17 - <Notice> - Pcap-file module read 1 files, 17 packets, 2356 bytes

real	0m0.100s
user	0m0.004s
sys	0m0.000s
      2 alert
      7 dcerpc
      1 flow
      1 stats
      1 "DCE Netlogoni dcerp content only"
      1 "DCE Netlogon dcerpc.iface only"
  --------------------------------------------------------------------------
  Date: 2/12/2022 -- 17:37:17. Sorted by: ticks.
  --------------------------------------------------------------------------
   Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
  -------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- -------------- 
  1        666          1        0        41492        74.72  30       1        7695        1383.07     4106.00     1289.17    
  2        888          1        0        9468         17.05  1        1        9468        9468.00     9468.00     0.00       
  3        777          1        0        4571         8.23   2        0        4385        2285.50     0.00        2285.50    

alert dcerpc any any -> any any ( msg: "DCE Netlogon dcerpc.iface only"; flow: to_server, established; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 666; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp.iface with content added"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|"; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 777; )
alert dcerpc any any -> any any ( msg: "DCE Netlogoni dcerp content only"; flow: to_server, established;content:"|78 56 34 12 34 12 CD AB EF|";  sid: 888; )