[Oisf-users] silly performance question

Christophe Vandeplas christophe at vandeplas.com
Wed Apr 17 07:25:43 UTC 2013 

On Wed, Apr 17, 2013 at 9:10 AM, Victor Julien <lists at inliniac.net> wrote:
> On 04/17/2013 08:44 AM, Christophe Vandeplas wrote:
>> We were wondering about the performance difference between:
>
> Are you seeing a perf difference? Or is this hypothetical?

Hypothetical

>> a) alert udp any any -> any 53 (content:"|03|foo|03|com|00|";)
>>
>> b) alert udp $DNS_SERVERS_DMZ any -> any 53 (content:"|03|foo|03|com|00|";)
>>
>> This considering that we are interested in searching for any query to
>> that foo.com domain.
>> There would probably be no other DNS traffic than the one from the
>> systems defined in $DNS_SERVERS.
>> I presume the difference in performance will be caused by the way the
>> pattern-tree is build/checked.
>
> This affects rule grouping, yes. It will cause your 2nd rule to be
> checked less often which should improve perf. However, it does make the
> rule tree larger at the cost of memory.

Will the any any udp/53 rule be checked more often even if there is no
other port53 traffic than the one coming from $DNS_SERVERS ?


> Also, the inspection of the 2nd rule itself is slightly more expensive
> as the source address has to be checked against your $DNS_SERVERS_DMZ
> variable.
>
> There is quite a bit of magic in the rule grouping which depends on
> these settings:
>
> detect-engine:
>   - profile: medium
>   - custom-values:
>       toclient-src-groups: 2
>       toclient-dst-groups: 2
>       toclient-sp-groups: 2
>       toclient-dp-groups: 3
>       toserver-src-groups: 2
>       toserver-dst-groups: 4
>       toserver-sp-groups: 2
>       toserver-dp-groups: 25
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml#Inspection-configuration
>
> The higher your settings, the higher the probability of the 2nd rule
> ending up in a separate group. There is no guarantee however.
>
>> Please no "I think that", we've been discussing this internally and we
>> finally ended in a situation where everyone used arguments of the "i
>> think that" kind and no "this behavior explains ..."
>
> _I_think_that_ you need to do some actual testing then, can't ask others
> to do that for you. :)

Yes sir !  I will !

>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/

More information about the Oisf-users mailing list