Project

General

Profile

Actions

Task #3302

open

Research: ruleset optimizations

Added by Andreas Herz about 5 years ago. Updated about 5 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

The suggestion at Suricon 2019 was to have an analyzer that inspects a ruleset and compiles it into a more optimized form.

An example: if there are many similar rules for matching a DNS query, perhaps this logic could automatically convert this into a single rule + a dataset.

The purpose of this ticket is to research what those optimizations could be and test if they actually improve performance.


Related issues 1 (1 open0 closed)

Related to Suricata - Task #3288: Suricon 2019 brainstormAssignedVictor JulienActions
Actions #1

Updated by Victor Julien about 5 years ago

  • Description updated (diff)
Actions #2

Updated by Victor Julien about 5 years ago

  • Assignee changed from OISF Dev to Community Ticket

I think it would be great if some test cases could be built, and then tested against pcaps and replay.

E.g. 1000 dns rules vs 1 dataset rule.

Perhaps we can ask Brad to use his replay setup to test the results.

Actions #3

Updated by Victor Julien about 5 years ago

  • Parent task deleted (#3288)
Actions #4

Updated by Victor Julien about 5 years ago

  • Related to Task #3288: Suricon 2019 brainstorm added
Actions

Also available in: Atom PDF