[Oisf-users] Issue with Profiling in Suricata (Seen both in 2.0.11 and 3.0)
Peter Manev
petermanev at gmail.com
Fri Feb 26 00:07:26 UTC 2016
On Wed, Feb 17, 2016 at 9:45 AM, John Rett <johnarett at gmail.com> wrote:
> Yes.
Anything reproducible you can share? (offline if you would like)
>
> On Wed, Feb 17, 2016 at 3:45 AM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Mon, Feb 8, 2016 at 9:53 PM, John Rett <johnarett at gmail.com> wrote:
>> > I'm seeing some weird behavior from the profiling results, and I'm
>> > trying to
>> > understand if what I'm seeing is a bug, some issue with my rules (I
>> > doubt
>> > this), or some behavior that I don't understand.
>> >
>> > I have configured and built suricata with profiling successfully. I'm
>> > getting output in my rule_perf.log.
>> >
>> > I'm running the default yaml:
>> > /data/suricata-3.0/src/suricata -vv -c /data/suricata-3.0/suricata.yaml
>> > -r
>> > /data/my.pcap -S /data/rules_file.txt
>> >
>> > Say I have rule A, B, and C in my rules file.
>> > Rule A is http://doc.emergingthreats.net/2006588
>> > Rule B is http://doc.emergingthreats.net/2005568
>> > Rule C is an boring ETpro rule (Let me know if there is a proper way to
>> > share this.)
>> >>
>> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS etc...
>> >
>> >
>> > If I run this rules file though a couple huge (7G and 23G) pcaps of real
>> > large network I would expect these rules to have many "ticks" and many
>> > "checks". But instead I get one "check" for Rule B, ~2488 ticks. Only
>> > one
>> > single "check" out of everything.
>>
>> If you re-run with --runmode=single would the stats be similar ?
>>
>> >
>> > This happens for both text output:
>> > http://pastebin.com/XbXMyw5J
>> >
>> > And JSON output:
>> >>
>> >>
>> >> {"timestamp":"2016-02-08T20:09:52.066377+0000","rules":[{"signature_id":
>> >>
>> >> 2005568,"gid":1,"rev":5,"checks":1,"matches":0,"ticks_total":2376,"ticks_max":2376,"ticks_avg":2376,"ticks_avg_match":0,"ticks_avg_nomatch":2376,"percent":100}]}
>> >
>> >
>> > How could a rules file with three rules run against a huge pcaps, only
>> > have
>> > a single "check" for only one of the rules?
>> >
>> > Second question/issue, maybe related, maybe not. If I reorder the rules,
>> > I
>> > get the same result (expected.) If I remove rule A from the list, I get
>> > the
>> > same result (expected). If I remove rule C, I get a different result.
>> > Profiling will return nothing, aka no "check" or "ticks" for any rules
>> > (not
>> > expected).
>> >
>> > For the record this happens in larger rule files too. But as I add more
>> > rules, some of them will get checked a lot, whereas some of them won't
>> > be
>> > checked at all.
>> >
>> > Let me know if I can include any other information that would be
>> > helpful.
>> >
>> > Many thanks for any and all help!
>> > -JR
>> >
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> > Suricata User Conference November 9-11 in Washington, DC:
>> > http://oisfevents.net
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list