[Oisf-devel] Suricata rule matching - order of operations

[David Wharton]

Hey all,

I'm getting back into writing Suricata rules after spending a lot of 
time writing rules for other engines.  One thing I'm really interested 
in is the order in which rule directives/options are checked in 
Suricata.  For example, I know that protocol gets checked before ports 
but when exactly in the detect engine do things like fast_pattern, 
flowbits, dsize, etc. get checked?

The order in which rule matching options are evaluated can make a 
non-trivial difference in rule performance (depending on the rule) so it 
affects how I craft rules.  Knowing the engine's logic tree in regards 
to rule matching would greatly help with writing the most efficient 
rules possible.

I would *love* to have a flowchart showing exactly when and where and in 
what order things are evaluated. I know Suricata is a complex and 
powerful IDS/IPS engine so putting together a comprehensive explanation 
is far from simple but I think it would benefit the OISF community in 
the long run.  Let me know if I can help with anything.

Thanks.

-David Wharton