Project

General

Profile

Actions
Copy link

Bug #5562

closed

rule_perf.log with multiple sort orders is invalid JSON

Added by Simeon Miteff about 3 years ago. Updated 4 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
Simeon Miteff
Target version:
TBD
Affected Versions:
TBD
Effort:
Difficulty:
Label:

Description

When rules profiling is turned on and configured for JSON output with no sort order, all 7 orders are written to rules_profile.log as JSON objects concatenated without any delimiters or top-level JSON type. This means the content of rules_profile.log is not valid JSON.

I suspect this bug was introduced in https://github.com/OISF/suricata/commit/75907fce0662b500b280a0493524daf06523aaae, in which case it would affect 4.0.0+ (but I have not confirmed this).

Actions
Copy link
 #1

Updated by Simeon Miteff about 3 years ago

When rules profiling is turned on and configured for JSON output with no sort order, all 7 orders are written to rule_perf.log as JSON objects concatenated without any delimiters or top-level JSON type. This means the content of rule_perf.log is not valid JSON.

I suspect this bug was introduced in https://github.com/OISF/suricata/commit/75907fce0662b500b280a0493524daf06523aaae, in which case it would affect 4.0.0+ (but I have not confirmed this).

Actions
Copy link
 #2

Updated by Simeon Miteff about 3 years ago

  • Subject changed from rules_profile.log with multiple sort orders is invalid JSON to rule_perf.log with multiple sort orders is invalid JSON
Actions
Copy link
 #3

Updated by Philippe Antoine 4 months ago

  • Status changed from New to Rejected

This is not a bug for me

We do the same with eve.json : it is a list of json objects (one per line) without delimiter nor top object

I tried ./configure --enable-profiling-rules + run with suricata.yaml having profiling.rules.active = yes on some random pcap with random rules

And then I can do @jq . log/rule_perf.log@kiripolsky
And it works like

{
  "timestamp": "2025-07-11T10:22:35.090004+0200",
  "sort": "ticks",
  "rules": [
    {
      "signature_id": 2016949,
      "gid": 1,
      "rev": 3,
      "checks": 6,
      "matches": 3,
      "ticks_total": 131700,
      "ticks_max": 36480,
      "ticks_avg": 21950,
      "ticks_avg_match": 24453,
      "ticks_avg_nomatch": 19446,
      "percent": 100
    }
  ]
}
{
  "timestamp": "2025-07-11T10:22:35.090066+0200",
  "sort": "average ticks",
  "rules": [
    {
      "signature_id": 2016949,
      "gid": 1,
      "rev": 3,
      "checks": 6,
      "matches": 3,
      "ticks_total": 131700,
      "ticks_max": 36480,
      "ticks_avg": 21950,
      "ticks_avg_match": 24453,
      "ticks_avg_nomatch": 19446,
      "percent": 100
    }
  ]
}

etc...

Actions
Copy link
 #4

Updated by Simeon Miteff 4 months ago

Philippe Antoine wrote in #note-3:

This is not a bug for me

I fixed this back in 2022 via https://github.com/OISF/suricata/pull/7963

Sorry, I should have updated the bug, however I see now that I can't set it to "Closed" or a similar appropriate status.

Actions
Copy link

Also available in: Atom PDF