Bug #6414
open
detect-engine/port: recursive DetectPortInsert calls are expensive
Added by Shivani Bhardwaj 7 months ago.
Updated 2 months ago.
Description
Problem
It seems that for certain kinds of rules, the recursive calls to DetectPortInsert can be very expensive.
There has been a todo to get rid of the recursive calls since a long time that needs to be addressed now.
The issue can be observed for large rulesets especially containing a mix of drop tls rules and others.
One noteworthy thing is that these rules loaded separately end up consuming much lesser time.
Useful info
Attached is one scenario where the flamegraph shows heavy frequenting of this fn.
Files
Related issues
2 (2 open — 0 closed)
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Shivani Bhardwaj
- Target version changed from TBD to 7.0.3
- Label deleted (
Needs backport to 6.0)
- Target version changed from 7.0.3 to 8.0.0-beta1
- Label Needs backport to 7.0 added
- Label deleted (
Needs backport to 7.0)
- Label Needs backport to 7.0 added
- Label deleted (
Needs backport to 7.0)
- Label Needs backport to 7.0 added
- Label deleted (
Needs backport to 7.0)
- Related to Optimization #6795: detect/port: PortGroupWhitelist fn takes a lot of processing time added
- Related to Optimization #6792: detect/port: port grouping is quite slow in worst cases added
- Status changed from Assigned to In Review
- Status changed from In Review to Resolved
Also available in: Atom
PDF
