Bug #6291: Performance degradation on Suricata devices with a small number of rules - Suricata - Open Information Security Foundation

Custom queries

8.0.0 Stories
Good First Issues
OISF community
Open Doc tasks

Actions

Copy link

Bug #6291

closed

Performance degradation on Suricata devices with a small number of rules

Bug #6291: Performance degradation on Suricata devices with a small number of rules

Added by Cole Dishington over 2 years ago. Updated 12 months ago.

Status:

Rejected

Priority:

Normal

Assignee:

Target version:

Affected Versions:

5.0.0, 5.0.1, 5.0.2, 5.0.3, 6.0.0, 5.0.5, 6.0.1, 6.0.2, 7.0.0, 7.0.1

Effort:

Difficulty:

Label:

Description

Devices running a small number of rules, none of which being MPM-based rules, experienced a performance degradation of ~4%-16% throughput between Suricata 4 and Suricata 5 releases. The performance degradation is present in all releases past Suricata 5. The performance degradation was traced to:

0965afd66 detect: pkt inspect engines

The linked commit modified the default pkt inspection engines to be called through a function pointer. Previously, the default packet inspection errors were inlined.

Related issues 3 (0 open — 3 closed)

Related to Suricata - Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...)	Closed	Philippe Antoine	Actions
Related to Suricata - Optimization #7002: detect: move pseudo packet checks out of keyword Match funcs	Closed	Victor Julien	Actions
Related to Suricata - Bug #7106: packet: app-layer-events incorrectly used on recycled packets	Closed	Philippe Antoine	Actions

Issue # Delay: days Cancel Multiple values allowed (comma separated).

History
Notes
Property changes

PM Updated by Peter Manev over 2 years ago Actions
Copy link
#1

Can you share some steps or details how to reproduce the performance degradation issue please?

How many rules/what type/what type of traffic/any specific run commands or config options enabled if relevant etc.
Thanks

CD Updated by Cole Dishington over 2 years ago Actions
Copy link
#2

Peter Manev wrote in #note-1:

Can you share some steps or details how to reproduce the performance degradation issue please?

How many rules/what type/what type of traffic/any specific run commands or config options enabled if relevant etc.
Thanks

I experienced the performance degradation when updating from Suricata 4.0.6 to Suricata 7.0.0, this performance degradation was noticed on a setup with the following:

176 signatures
3 are inspecting packet payload
33 inspect application layer
83 are decoder event only

The performance test used UDP, entirely traffic that would be detected as non-malicious, and Suricata running in IPS mode.

This performance impact was significant when running a small number of lightweight rules, but was not significant on larger (and more heavy-duty) rule sets. I have submitted a pull request (https://github.com/OISF/suricata/pull/9429) that changes the default packet inspection engines to inline, like they were in Suricata 4 before extra packet inspection engines were supported.

Thanks

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#3

Target version changed from 7.0.1 to 7.0.2

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#4

Target version changed from 7.0.2 to 7.0.3

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#5

Target version changed from 7.0.3 to 8.0.0-beta1

CD Updated by Cole Dishington about 2 years ago Actions
Copy link
#6

PR: https://github.com/OISF/suricata/pull/10202

CD Updated by Cole Dishington about 2 years ago Actions
Copy link
#7

Status changed from New to In Review

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#8

Related to Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...) added

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#9

Related to Optimization #7002: detect: move pseudo packet checks out of keyword Match funcs added

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#10

Related to Bug #7106: packet: app-layer-events incorrectly used on recycled packets added

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#11

@Cole Dishington could you tell if you still have the problem with latest master after merge of https://github.com/OISF/suricata/pull/11337 ?

CD Updated by Cole Dishington almost 2 years ago Actions
Copy link
#12

Status changed from In Review to Closed

@Philippe Antoine I haven't yet been able to get the latest Suricata compiling with my toolchain (due to mismatch of archs in the lua .o files). I will re-test when I am able to get the newer versions of Suricata working with my toolchain, until then I will close of this issue. Thanks

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#13

Thanks Cole, you can also test with suricata-7.0.6

VJ Updated by Victor Julien 12 months ago Actions
Copy link
#14

Status changed from Closed to Rejected
Assignee deleted (~~Cole Dishington~~)
Target version deleted (~~8.0.0-beta1~~)

Closing as rejected as nothing was done and it's unclear if there is an issue still.

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Suricata

Custom queries

Bug #6291

Performance degradation on Suricata devices with a small number of rules

PM Updated by Peter Manev over 2 years ago Actions
Copy link
#1

CD Updated by Cole Dishington over 2 years ago Actions
Copy link
#2

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#3

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#4

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#5

CD Updated by Cole Dishington about 2 years ago Actions
Copy link
#6

CD Updated by Cole Dishington about 2 years ago Actions
Copy link
#7

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#8

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#9

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#10

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#11

CD Updated by Cole Dishington almost 2 years ago Actions
Copy link
#12

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#13

VJ Updated by Victor Julien 12 months ago Actions
Copy link
#14

Project

General

Profile

Suricata

Custom queries

Bug #6291

Performance degradation on Suricata devices with a small number of rules

PM Updated by Peter Manev over 2 years ago ActionsCopy link #1

CD Updated by Cole Dishington over 2 years ago ActionsCopy link #2

VJ Updated by Victor Julien over 2 years ago ActionsCopy link #3

VJ Updated by Victor Julien over 2 years ago ActionsCopy link #4

VJ Updated by Victor Julien over 2 years ago ActionsCopy link #5

CD Updated by Cole Dishington about 2 years ago ActionsCopy link #6

CD Updated by Cole Dishington about 2 years ago ActionsCopy link #7

PA Updated by Philippe Antoine almost 2 years ago ActionsCopy link #8

PA Updated by Philippe Antoine almost 2 years ago ActionsCopy link #9

PA Updated by Philippe Antoine almost 2 years ago ActionsCopy link #10

PA Updated by Philippe Antoine almost 2 years ago ActionsCopy link #11

CD Updated by Cole Dishington almost 2 years ago ActionsCopy link #12

PA Updated by Philippe Antoine almost 2 years ago ActionsCopy link #13

VJ Updated by Victor Julien 12 months ago ActionsCopy link #14

PM Updated by Peter Manev over 2 years ago Actions
Copy link
#1

CD Updated by Cole Dishington over 2 years ago Actions
Copy link
#2

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#3

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#4

VJ Updated by Victor Julien over 2 years ago Actions
Copy link
#5

CD Updated by Cole Dishington about 2 years ago Actions
Copy link
#6

CD Updated by Cole Dishington about 2 years ago Actions
Copy link
#7

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#8

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#9

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#10

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#11

CD Updated by Cole Dishington almost 2 years ago Actions
Copy link
#12

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
#13

VJ Updated by Victor Julien 12 months ago Actions
Copy link
#14