[Oisf-users] Suricata 2.0.8 takes too long (4 hours) to load simple rules

Thomas d'Otreppe tdotreppe at gmail.com
Tue Sep 22 03:05:27 UTC 2015


Loading Emerging Threats is fairly quick. But when I load my own rules
which consist pretty much of a lot of IPs and large CIDR, it take like 4
hours. To compare it with snort, those same rules are loaded very quickly
(less than a minute IIRC).

I can't post the actual rules but here is an example (there are 168923 IPs
or IP/CIDR total):
alert tcp any any <> [] any (msg: "Traffic from/to Bogon IP
Addresses"; flags:S; flow:stateless; detection_filter: track by_src,
seconds 30, count 5; reference:url,tools.ietf.org/html/rfc1918;
classtype:bogon; priority:3; sid:1000001; rev:1;)

I don't have the logs anymore, but the loading is done in 3 steps. First
one is fairly quick. With my rules, it took about 4 minutes for step 2
(source IP I think) to complete, then 4 hours for step 3 (Destination IP I

Why is it taking so long? Is there any way I can improve loading them (and
use all CPUs to parse them; only one was used).

The system has 4Gb of RAM and four i7 cores at 2.8GHz, uses af-packet (but
it shouldn't matter in this case).
Any detail you need to debug the issue?

Best regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150921/dfb7a06b/attachment-0001.html>

More information about the Oisf-users mailing list