Project

General

Profile

Actions
Copy link

Feature #7354

open
VJ SB

detect: reimplement ip-only as a per group prefilter

Feature #7354: detect: reimplement ip-only as a per group prefilter

Added by Victor Julien over 1 year ago. Updated 4 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Currently IP-only rules are processed separately from the "regular" rules, leading to some unexpected behavior around inspection order.

A better approach could be too have them as per sgh prefilter engines. This would then simply make them behave like regular rules. The engine could still run only for the first packet in the flow, or on every packet for flow-less packets.

Related issues 2 (2 open0 closed)

Related to Suricata - Bug #3771: Extreme performance degradation when doing IP-only rules with flow-keywordNewOISF DevActions
Related to Suricata - Bug #7429: detect/ip-only: severe performance degradation of "ip-only" rules with negationAssignedShivani BhardwajActions

VJ Updated by Victor Julien over 1 year ago Actions
Copy link
 #1

  • Related to Bug #3771: Extreme performance degradation when doing IP-only rules with flow-keyword added

SB Updated by Shivani Bhardwaj 4 months ago Actions
Copy link
 #2

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Shivani Bhardwaj
  • Target version changed from TBD to 9.0.0-beta1

Taking this up as I'm starting to look into related issues.

SB Updated by Shivani Bhardwaj 3 months ago Actions
Copy link
 #3

  • Related to Bug #7429: detect/ip-only: severe performance degradation of "ip-only" rules with negation added
Actions
Copy link

Also available in: PDF Atom