[Oisf-users] Issue with Profiling in Suricata (Seen both in 2.0.11 and 3.0)

Tue Feb 16 20:27:39 UTC 2016

Hi John,

could you add this request into the redmine issue tracker?

It would also be helpful if you can reproduce your strange behaviour
(especially when removing the C rule) with a smaller pcap that you could
also share with us, so we can try to reproduce it.

Thanks

On 08/02/16 at 15:53, John Rett wrote:
> I'm seeing some weird behavior from the profiling results, and I'm trying
> to understand if what I'm seeing is a bug, some issue with my rules (I
> doubt this), or some behavior that I don't understand.
> 
> I have configured and built suricata with profiling successfully. I'm
> getting output in my rule_perf.log.
> 
> I'm running the default yaml:
> /data/suricata-3.0/src/suricata -vv -c /data/suricata-3.0/suricata.yaml -r
> /data/my.pcap -S /data/rules_file.txt
> 
> Say I have rule A, B, and C in my rules file.
> Rule A is http://doc.emergingthreats.net/2006588
> Rule B is http://doc.emergingthreats.net/2005568
> Rule C is an boring ETpro rule (Let me know if there is a proper way to
> share this.)
> 
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS etc...
> 
> 
> If I run this rules file though a couple huge (7G and 23G) pcaps of real
> large network I would expect these rules to have many "ticks" and many
> "checks". But instead I get one "check" for Rule B, ~2488 ticks. Only one
> single "check" out of everything.
> 
> This happens for both text output:
> http://pastebin.com/XbXMyw5J
> 
> And JSON output:
> 
> >
> > {"timestamp":"2016-02-08T20:09:52.066377+0000","rules":[{"signature_id": 2005568,"gid":1,"rev":5,"checks":1,"matches":0,"ticks_total":2376,"ticks_max":2376,"ticks_avg":2376,"ticks_avg_match":0,"ticks_avg_nomatch":2376,"percent":100}]}
> >
> 
> How could a rules file with three rules run against a huge pcaps, only have
> a single "check" for only one of the rules?
> 
> Second question/issue, maybe related, maybe not. If I reorder the rules, I
> get the same result (expected.) If I remove rule A from the list, I get the
> same result (expected). If I remove rule C, I get a different result.
> Profiling will return nothing, aka no "check" or "ticks" for any rules (not
> expected).
> 
> For the record this happens in larger rule files too. But as I add more
> rules, some of them will get checked a lot, whereas some of them won't be
> checked at all.
> 
> Let me know if I can include any other information that would be helpful.
> 
> Many thanks for any and all help!
> -JR

> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC: http://oisfevents.net

-- 
Andreas Herz