[Oisf-users] Suricata 2.0.8 takes too long (4 hours) to load simple rules

Michał Purzyński michalpurzynski1 at gmail.com
Tue Sep 22 06:57:21 UTC 2015


On Tue, Sep 22, 2015 at 5:05 AM, Thomas d'Otreppe <tdotreppe at gmail.com> wrote:
> Hi,
>
> Loading Emerging Threats is fairly quick. But when I load my own rules which
> consist pretty much of a lot of IPs and large CIDR, it take like 4 hours. To
> compare it with snort, those same rules are loaded very quickly (less than a
> minute IIRC).
>
> I can't post the actual rules but here is an example (there are 168923 IPs
> or IP/CIDR total):
> alert tcp any any <> [10.0.0.0/8] any (msg: "Traffic from/to Bogon IP
> Addresses"; flags:S; flow:stateless; detection_filter: track by_src,
> seconds 30, count 5; reference:url,tools.ietf.org/html/rfc1918;
> classtype:bogon; priority:3; sid:1000001; rev:1;)
>

Have you considered using IP reputation? It's a special framework
where you load tons of IPs, can support millions of them and should
have a much better performance - it checks IP once per flow, at the
decoding of IP address moment. Your rule would do it per packet.

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IP_Reputation
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationConfig
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationFormat
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationRules



More information about the Oisf-users mailing list