[Oisf-users] Suricata 4.0.0 - bypass/performance issue

Martin Petracek martin.petracek at nic.cz
Mon Jul 24 14:54:05 UTC 2017


I tried --disable-detection, -S /dev/null and I didn't notice any
difference (either there is no difference or it's negligible).

Neither --set stream.reassembly.raw=false did any difference (I tried to
play with this option before in config file).

The performance is still bad with these options (vanilla source).


Maybe I wasn't precise, I don't want to disable rules/detection
completely. I would like to use some rules in later stages of
development (I don't want to cut that option completely), but these
would be only for HTTP/TLS/DNS names, not for packet content.


I'm not sure what were the cases that this patch tried to address still
(what I might be missing, what's bypassed too early). I'm not sure if
it's worth that dramatic performance penalty.

Best regards
Martin Petracek

On 20.7.2017 10:32, Victor Julien wrote:
> On 20-07-17 10:26, Victor Julien wrote:
>> On 19-07-17 17:27, Martin Petracek wrote:
>>> Oh, I should also mention that I'm using suricata without any rules,
>>> just to perform deep-packet-inspection and get HTTP/TLS/DNS information.
>>> I'm getting these information still, even with this patch. I think the
>>> information drop could be important with some rules.
>>
>> Are you using --disable-detection?
>>
>> If so, could you test the vanilla source with -S /dev/null instead? I
>> think there may be a dependency on the detection engine.
>>
> 
> Also separately could you add this commandline option and see if it has
> any effect?
> 
> --set stream.reassembly.raw=false
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170724/d7bf493c/attachment-0002.sig>


More information about the Oisf-users mailing list