Project

General

Profile

Actions

Bug #2908

closed

ip only rules cause suricata to take 17 minutes to start

Added by Andy Wick over 5 years ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

We are trying to run with 300+ CIDRs in our home net with about 50k rules (et pro and others). Suricata 4.1.2 & 4.1.3 takes about 17 minutes between when we get the rules loaded and when we get the af packet threads are now listening print out. Using gperftools it says that over 97% of the time is spent in IPOnlyCIDRItemInsertReal. Are we doing something wrong?

A quick glance at the code makes it looks like a link list insertion sort is being used to sort these 300+ cidrs for every single rule?

Seems like some possible solutions
  • We could presort our config from max netmask to smallest, so the sort would be O(n). We have our ipv6 ips last in the list, so I bet currently we are worst case near O(n^2)
  • The code could switch to a qsort instead of link list insertion sort
  • The code could cache the list

Any help would be great!


Related issues 2 (0 open2 closed)

Related to Suricata - Bug #6376: Huge increase on Suricata load time with a lot of ip-only rules and bigger HOME_NETClosedSimon DugasActions
Related to Suricata - Optimization #6792: detect/port: port grouping is quite slow in worst casesClosedShivani BhardwajActions
Actions

Also available in: Atom PDF