Project

General

Profile

Actions
Copy link

Feature #7354

open

detect: reimplement ip-only as a per group prefilter

Added by Victor Julien about 1 year ago. Updated about 1 month ago.

Status:
Assigned
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Currently IP-only rules are processed separately from the "regular" rules, leading to some unexpected behavior around inspection order.

A better approach could be too have them as per sgh prefilter engines. This would then simply make them behave like regular rules. The engine could still run only for the first packet in the flow, or on every packet for flow-less packets.

Related issues 2 (2 open0 closed)

Related to Suricata - Bug #3771: Extreme performance degradation when doing IP-only rules with flow-keywordNewOISF DevActions
Related to Suricata - Bug #7429: detect/ip-only: severe performance degradation of "ip-only" rules with negationIn ProgressShivani BhardwajActions
Actions
Copy link
 #1

Updated by Victor Julien about 1 year ago

  • Related to Bug #3771: Extreme performance degradation when doing IP-only rules with flow-keyword added
Actions
Copy link
 #2

Updated by Shivani Bhardwaj about 1 month ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Shivani Bhardwaj
  • Target version changed from TBD to 9.0.0-beta1

Taking this up as I'm starting to look into related issues.

Actions
Copy link
 #3

Updated by Shivani Bhardwaj 11 days ago

  • Related to Bug #7429: detect/ip-only: severe performance degradation of "ip-only" rules with negation added
Actions
Copy link

Also available in: Atom PDF