<div dir="ltr">I'm seeing some weird behavior from the profiling results, and I'm trying to understand if what I'm seeing is a bug, some issue with my rules (I doubt this), or some behavior that I don't understand. <div><br></div><div>I have configured and built suricata with profiling successfully. I'm getting output in my rule_perf.log.</div><div><br></div><div>I'm running the default yaml:</div><div>/data/suricata-3.0/src/suricata -vv -c /data/suricata-3.0/suricata.yaml -r /data/my.pcap -S /data/rules_file.txt<br></div><div><br></div><div>Say I have rule A, B, and C in my rules file.</div><div>Rule A is <a href="http://doc.emergingthreats.net/2006588">http://doc.emergingthreats.net/2006588</a></div><div>Rule B is <a href="http://doc.emergingthreats.net/2005568">http://doc.emergingthreats.net/2005568</a></div><div>Rule C is an boring ETpro rule (Let me know if there is a proper way to share this.)</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS etc...</blockquote><div><br></div><div>If I run this rules file though a couple huge (7G and 23G) pcaps of real large network I would expect these rules to have many "ticks" and many "checks". But instead I get one "check" for Rule B, ~2488 ticks. Only one single "check" out of everything.</div>
<div><br></div><div>This happens for both text output:</div><div><a href="http://pastebin.com/XbXMyw5J">http://pastebin.com/XbXMyw5J</a><br></div><div><br></div><div>And JSON output:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><p class="">{"timestamp":"2016-02-08T20:09:52.066377+0000","rules":[{"signature_id": 2005568,"gid":1,"rev":5,"checks":1,"matches":0,"ticks_total":2376,"ticks_max":2376,"ticks_avg":2376,"ticks_avg_match":0,"ticks_avg_nomatch":2376,"percent":100}]}<br></p></blockquote><div> </div><div>How could a rules file with three rules run against a huge pcaps, only have a single "check" for only one of the rules? </div><div><br></div><div>Second question/issue, maybe related, maybe not. If I reorder the rules, I get the same result (expected.) If I remove rule A from the list, I get the same result (expected). If I remove rule C, I get a different result. Profiling will return nothing, aka no "check" or "ticks" for any rules (not expected). </div><div><br></div><div>For the record this happens in larger rule files too. But as I add more rules, some of them will get checked a lot, whereas some of them won't be checked at all.</div><div><br></div><div>Let me know if I can include any other information that would be helpful.</div><div><br></div><div>Many thanks for any and all help!</div><div>-JR</div><div><br></div></div>