Actions
Bug #7429
opendetect/ip-only: severe performance degradation of "ip-only" rules with negation
Affected Versions:
Effort:
Difficulty:
Label:
Description
Many IP-only rules exist in the assumption that they will be evaluated in an efficient way. However, when the often included $HOME_NET
variable contains any negation, the rule type changes to "like IP-only", which is evaluated per packet using a linear address compare sequence.
This can lead to serious performance drops.
Perf might show something like:
Samples: 6M of event 'cycles', 4000 Hz, Event count (approx.): 1783474177970 lost: 0/0 drop: 0/0 Overhead Shared Object Symbol 40.75% suricata [.] DetectAddressMatchIPv4 30.19% suricata [.] DetectRun.part.0 10.45% suricata [.] DetectRunInspectRuleHeader 2.02% suricata [.] DetectProtoContainsProto 1.96% libhs.so.5.4.0 [.] 0x00000000006ed1d9
Ideally the optimized IP-only support would support negation natively.
Actions