Project

General

Profile

Actions

Bug #7429

open

detect/ip-only: severe performance degradation of "ip-only" rules with negation

Added by Victor Julien 20 days ago. Updated 20 days ago.

Status:
Assigned
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Many IP-only rules exist in the assumption that they will be evaluated in an efficient way. However, when the often included $HOME_NET variable contains any negation, the rule type changes to "like IP-only", which is evaluated per packet using a linear address compare sequence.

This can lead to serious performance drops.

Perf might show something like:

Samples: 6M of event 'cycles', 4000 Hz, Event count (approx.): 1783474177970 lost: 0/0 drop: 0/0                                                                                                                                                                               
Overhead  Shared Object         Symbol                                                                                                                                                                                                                                         
  40.75%  suricata              [.] DetectAddressMatchIPv4
  30.19%  suricata              [.] DetectRun.part.0
  10.45%  suricata              [.] DetectRunInspectRuleHeader
   2.02%  suricata              [.] DetectProtoContainsProto
   1.96%  libhs.so.5.4.0        [.] 0x00000000006ed1d9

Ideally the optimized IP-only support would support negation natively.


Related issues 1 (1 open0 closed)

Related to Suricata - Bug #3771: Extreme performance degradation when doing IP-only rules with flow-keywordNewOISF DevActions
Actions

Also available in: Atom PDF