[Oisf-users] Issue with Profiling in Suricata (Seen both in 2.0.11 and 3.0)

John Rett johnarett at gmail.com
Mon Feb 8 20:53:59 UTC 2016

I'm seeing some weird behavior from the profiling results, and I'm trying
to understand if what I'm seeing is a bug, some issue with my rules (I
doubt this), or some behavior that I don't understand.

I have configured and built suricata with profiling successfully. I'm
getting output in my rule_perf.log.

I'm running the default yaml:
/data/suricata-3.0/src/suricata -vv -c /data/suricata-3.0/suricata.yaml -r
/data/my.pcap -S /data/rules_file.txt

Say I have rule A, B, and C in my rules file.
Rule A is http://doc.emergingthreats.net/2006588
Rule B is http://doc.emergingthreats.net/2005568
Rule C is an boring ETpro rule (Let me know if there is a proper way to
share this.)

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS etc...

If I run this rules file though a couple huge (7G and 23G) pcaps of real
large network I would expect these rules to have many "ticks" and many
"checks". But instead I get one "check" for Rule B, ~2488 ticks. Only one
single "check" out of everything.

This happens for both text output:

And JSON output:

> {"timestamp":"2016-02-08T20:09:52.066377+0000","rules":[{"signature_id": 2005568,"gid":1,"rev":5,"checks":1,"matches":0,"ticks_total":2376,"ticks_max":2376,"ticks_avg":2376,"ticks_avg_match":0,"ticks_avg_nomatch":2376,"percent":100}]}

How could a rules file with three rules run against a huge pcaps, only have
a single "check" for only one of the rules?

Second question/issue, maybe related, maybe not. If I reorder the rules, I
get the same result (expected.) If I remove rule A from the list, I get the
same result (expected). If I remove rule C, I get a different result.
Profiling will return nothing, aka no "check" or "ticks" for any rules (not

For the record this happens in larger rule files too. But as I add more
rules, some of them will get checked a lot, whereas some of them won't be
checked at all.

Let me know if I can include any other information that would be helpful.

Many thanks for any and all help!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160208/0a4b0d2a/attachment-0001.html>

More information about the Oisf-users mailing list