[Oisf-users] Issue with Profiling in Suricata (Seen both in 2.0.11 and 3.0)

Wed Feb 17 08:45:03 UTC 2016

On Mon, Feb 8, 2016 at 9:53 PM, John Rett <johnarett at gmail.com> wrote:
> I'm seeing some weird behavior from the profiling results, and I'm trying to
> understand if what I'm seeing is a bug, some issue with my rules (I doubt
> this), or some behavior that I don't understand.
>
> I have configured and built suricata with profiling successfully. I'm
> getting output in my rule_perf.log.
>
> I'm running the default yaml:
> /data/suricata-3.0/src/suricata -vv -c /data/suricata-3.0/suricata.yaml -r
> /data/my.pcap -S /data/rules_file.txt
>
> Say I have rule A, B, and C in my rules file.
> Rule A is http://doc.emergingthreats.net/2006588
> Rule B is http://doc.emergingthreats.net/2005568
> Rule C is an boring ETpro rule (Let me know if there is a proper way to
> share this.)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS etc...
>
>
> If I run this rules file though a couple huge (7G and 23G) pcaps of real
> large network I would expect these rules to have many "ticks" and many
> "checks". But instead I get one "check" for Rule B, ~2488 ticks. Only one
> single "check" out of everything.

If you re-run with --runmode=single would the stats be similar ?

>
> This happens for both text output:
> http://pastebin.com/XbXMyw5J
>
> And JSON output:
>>
>> {"timestamp":"2016-02-08T20:09:52.066377+0000","rules":[{"signature_id":
>> 2005568,"gid":1,"rev":5,"checks":1,"matches":0,"ticks_total":2376,"ticks_max":2376,"ticks_avg":2376,"ticks_avg_match":0,"ticks_avg_nomatch":2376,"percent":100}]}
>
>
> How could a rules file with three rules run against a huge pcaps, only have
> a single "check" for only one of the rules?
>
> Second question/issue, maybe related, maybe not. If I reorder the rules, I
> get the same result (expected.) If I remove rule A from the list, I get the
> same result (expected). If I remove rule C, I get a different result.
> Profiling will return nothing, aka no "check" or "ticks" for any rules (not
> expected).
>
> For the record this happens in larger rule files too. But as I add more
> rules, some of them will get checked a lot, whereas some of them won't be
> checked at all.
>
> Let me know if I can include any other information that would be helpful.
>
> Many thanks for any and all help!
> -JR
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net

-- 
Regards,
Peter Manev