Project

General

Profile

Actions
Copy link

Bug #6291

open

Performance degradation on Suricata devices with a small number of rules

Added by Cole Dishington 8 months ago. Updated 3 months ago.

Status:
In Review
Priority:
Normal
Assignee:
Cole Dishington
Target version:
8.0.0-beta1
Affected Versions:
5.0.0, 5.0.1, 5.0.2, 5.0.3, 6.0.0, 5.0.5, 6.0.1, 6.0.2, 7.0.0, 7.0.1
Effort:
Difficulty:
Label:
C

Description

Devices running a small number of rules, none of which being MPM-based rules, experienced a performance degradation of ~4%-16% throughput between Suricata 4 and Suricata 5 releases. The performance degradation is present in all releases past Suricata 5. The performance degradation was traced to:

0965afd66 detect: pkt inspect engines

The linked commit modified the default pkt inspection engines to be called through a function pointer. Previously, the default packet inspection errors were inlined.

Actions
Copy link
 #1

Updated by Peter Manev 8 months ago

Can you share some steps or details how to reproduce the performance degradation issue please?

How many rules/what type/what type of traffic/any specific run commands or config options enabled if relevant etc.
Thanks

Actions
Copy link
 #2

Updated by Cole Dishington 8 months ago

Peter Manev wrote in #note-1:

Can you share some steps or details how to reproduce the performance degradation issue please?

How many rules/what type/what type of traffic/any specific run commands or config options enabled if relevant etc.
Thanks

I experienced the performance degradation when updating from Suricata 4.0.6 to Suricata 7.0.0, this performance degradation was noticed on a setup with the following:
  • 176 signatures
  • 3 are inspecting packet payload
  • 33 inspect application layer
  • 83 are decoder event only

The performance test used UDP, entirely traffic that would be detected as non-malicious, and Suricata running in IPS mode.

This performance impact was significant when running a small number of lightweight rules, but was not significant on larger (and more heavy-duty) rule sets. I have submitted a pull request (https://github.com/OISF/suricata/pull/9429) that changes the default packet inspection engines to inline, like they were in Suricata 4 before extra packet inspection engines were supported.

Thanks

Actions
Copy link
 #3

Updated by Victor Julien 8 months ago

  • Target version changed from 7.0.1 to 7.0.2
Actions
Copy link
 #4

Updated by Victor Julien 7 months ago

  • Target version changed from 7.0.2 to 7.0.3
Actions
Copy link
 #5

Updated by Victor Julien 6 months ago

  • Target version changed from 7.0.3 to 8.0.0-beta1
Actions
Copy link
 #7

Updated by Cole Dishington 3 months ago

  • Status changed from New to In Review
Actions
Copy link

Also available in: Atom PDF