Project

General

Profile

Actions

Optimization #8484

closed
AM

Threshold hash table doesn't hash IPv4 addresses, resulting in poor bucket distribution

Optimization #8484: Threshold hash table doesn't hash IPv4 addresses, resulting in poor bucket distribution

Added by Alexander Maltsev 3 months ago. Updated 16 days ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
Effort:
Difficulty:
Label:
C

Description

Hello. I have a signinficant performance degradation with suricata 8 compared to 7.0.15. Judging by flamegraphs suricata spends much more time in DetectEngineRunPostRules/PacketAlertFinalize/ThresholdGetFromHash. My threshold rules are track-by-both and network is IPv4 only.
Examining resulting hash table in detect-engine-threshold.c ctx (shouldn't it be static if it uses so non-specific name?) I could see only one bucket holding all the values, so naturally linear search over linked list is very costly. My test iterates IPs over two networks so resulting bucket number is always the same, even though IPs are different.
In 7.0.15 ippair hashed both IPs, but in suricata8 it just adds IP without hashing it https://github.com/OISF/suricata/blob/be36e67f52fd6b6b104cff9ceb38369dbaf0eaaf/src/detect-engine-threshold.c#L266 . Adding hashword here fixed the problem for me.


Related issues 1 (1 open0 closed)

Related to Suricata - Bug #8617: threshold: seed only partially applied in IPv6 hashResolvedVictor JulienActions
Actions

Also available in: PDF Atom