Project

General

Profile

Actions
Copy link

Feature #7354

open
VJ SB

detect: reimplement ip-only as a per group prefilter

Feature #7354: detect: reimplement ip-only as a per group prefilter

Added by Victor Julien over 1 year ago. Updated 5 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Currently IP-only rules are processed separately from the "regular" rules, leading to some unexpected behavior around inspection order.

A better approach could be too have them as per sgh prefilter engines. This would then simply make them behave like regular rules. The engine could still run only for the first packet in the flow, or on every packet for flow-less packets.

Related issues 2 (2 open0 closed)

Related to Suricata - Bug #3771: Extreme performance degradation when doing IP-only rules with flow-keywordNewOISF DevActions
Related to Suricata - Bug #7429: detect/ip-only: severe performance degradation of "ip-only" rules with negationAssignedShivani BhardwajActions
Actions
Copy link

Also available in: PDF Atom