[Oisf-users] silly performance question

Victor Julien lists at inliniac.net
Wed Apr 17 07:10:25 UTC 2013 

On 04/17/2013 08:44 AM, Christophe Vandeplas wrote:
> We were wondering about the performance difference between:

Are you seeing a perf difference? Or is this hypothetical?

> a) alert udp any any -> any 53 (content:"|03|foo|03|com|00|";)
> 
> b) alert udp $DNS_SERVERS_DMZ any -> any 53 (content:"|03|foo|03|com|00|";)
> 
> This considering that we are interested in searching for any query to
> that foo.com domain.
> There would probably be no other DNS traffic than the one from the
> systems defined in $DNS_SERVERS.
> I presume the difference in performance will be caused by the way the
> pattern-tree is build/checked.

This affects rule grouping, yes. It will cause your 2nd rule to be
checked less often which should improve perf. However, it does make the
rule tree larger at the cost of memory.

Also, the inspection of the 2nd rule itself is slightly more expensive
as the source address has to be checked against your $DNS_SERVERS_DMZ
variable.

There is quite a bit of magic in the rule grouping which depends on
these settings:

detect-engine:
  - profile: medium
  - custom-values:
      toclient-src-groups: 2
      toclient-dst-groups: 2
      toclient-sp-groups: 2
      toclient-dp-groups: 3
      toserver-src-groups: 2
      toserver-dst-groups: 4
      toserver-sp-groups: 2
      toserver-dp-groups: 25

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml#Inspection-configuration

The higher your settings, the higher the probability of the 2nd rule
ending up in a separate group. There is no guarantee however.

> Please no "I think that", we've been discussing this internally and we
> finally ended in a situation where everyone used arguments of the "i
> think that" kind and no "this behavior explains ..."

_I_think_that_ you need to do some actual testing then, can't ask others
to do that for you. :)

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list