Bug #6291
closedPerformance degradation on Suricata devices with a small number of rules
Description
Devices running a small number of rules, none of which being MPM-based rules, experienced a performance degradation of ~4%-16% throughput between Suricata 4 and Suricata 5 releases. The performance degradation is present in all releases past Suricata 5. The performance degradation was traced to:
0965afd66 detect: pkt inspect engines
The linked commit modified the default pkt inspection engines to be called through a function pointer. Previously, the default packet inspection errors were inlined.
PM Updated by Peter Manev over 2 years ago
Can you share some steps or details how to reproduce the performance degradation issue please?
How many rules/what type/what type of traffic/any specific run commands or config options enabled if relevant etc.
Thanks
CD Updated by Cole Dishington over 2 years ago
Peter Manev wrote in #note-1:
I experienced the performance degradation when updating from Suricata 4.0.6 to Suricata 7.0.0, this performance degradation was noticed on a setup with the following:Can you share some steps or details how to reproduce the performance degradation issue please?
How many rules/what type/what type of traffic/any specific run commands or config options enabled if relevant etc.
Thanks
- 176 signatures
- 3 are inspecting packet payload
- 33 inspect application layer
- 83 are decoder event only
The performance test used UDP, entirely traffic that would be detected as non-malicious, and Suricata running in IPS mode.
This performance impact was significant when running a small number of lightweight rules, but was not significant on larger (and more heavy-duty) rule sets. I have submitted a pull request (https://github.com/OISF/suricata/pull/9429) that changes the default packet inspection engines to inline, like they were in Suricata 4 before extra packet inspection engines were supported.
Thanks
VJ Updated by Victor Julien over 2 years ago
- Target version changed from 7.0.1 to 7.0.2
VJ Updated by Victor Julien over 2 years ago
- Target version changed from 7.0.2 to 7.0.3
VJ Updated by Victor Julien over 2 years ago
- Target version changed from 7.0.3 to 8.0.0-beta1
CD Updated by Cole Dishington about 2 years ago
CD Updated by Cole Dishington about 2 years ago
- Status changed from New to In Review
PA Updated by Philippe Antoine almost 2 years ago
- Related to Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...) added
PA Updated by Philippe Antoine almost 2 years ago
- Related to Optimization #7002: detect: move pseudo packet checks out of keyword Match funcs added
PA Updated by Philippe Antoine almost 2 years ago
- Related to Bug #7106: packet: app-layer-events incorrectly used on recycled packets added
PA Updated by Philippe Antoine almost 2 years ago
@Cole Dishington could you tell if you still have the problem with latest master after merge of https://github.com/OISF/suricata/pull/11337 ?
CD Updated by Cole Dishington almost 2 years ago
- Status changed from In Review to Closed
@Philippe Antoine I haven't yet been able to get the latest Suricata compiling with my toolchain (due to mismatch of archs in the lua .o files). I will re-test when I am able to get the newer versions of Suricata working with my toolchain, until then I will close of this issue. Thanks
PA Updated by Philippe Antoine almost 2 years ago
Thanks Cole, you can also test with suricata-7.0.6
VJ Updated by Victor Julien 12 months ago
- Status changed from Closed to Rejected
- Assignee deleted (
Cole Dishington) - Target version deleted (
8.0.0-beta1)
Closing as rejected as nothing was done and it's unclear if there is an issue still.