[Oisf-users] Suricata 4.0.0 - bypass/performance issue

Martin Petracek martin.petracek at nic.cz
Wed Jul 26 13:20:19 UTC 2017


On 25.7.2017 14:42, Victor Julien wrote:
> On 24-07-17 16:54, Martin Petracek wrote:
>> I tried --disable-detection, -S /dev/null and I didn't notice any
>> difference (either there is no difference or it's negligible).
>>
>> Neither --set stream.reassembly.raw=false did any difference (I tried to
>> play with this option before in config file).
>>
>> The performance is still bad with these options (vanilla source).
>>
>>
>> Maybe I wasn't precise, I don't want to disable rules/detection
>> completely. I would like to use some rules in later stages of
>> development (I don't want to cut that option completely), but these
>> would be only for HTTP/TLS/DNS names, not for packet content.
>>
>>
>> I'm not sure what were the cases that this patch tried to address still
>> (what I might be missing, what's bypassed too early). I'm not sure if
>> it's worth that dramatic performance penalty.
> 
> The performance decrease is against a seriously broken version that
> bypasses lots of rules leading to false negatives. So the 'good'
> performance you got there is the anomaly.
> 
> I've created a patch to optimize the --disable-detection case, it should
> give you perf much closer to the broken stuff before:
> https://github.com/inliniac/suricata/pull/2855 Can you give this a run
> and let us know how it works?

Yes, it works. I patched it locally basically in the same way before,
but enabled it unconditionally.

>
> I think we can do optimizations for the case with rules as well later,
> but that will be more involved.

That would be really nice, but I understand it's more complex.

Thanks for helping!

Regards
Martin Petracek

Sorry Victor for receiving this message twice, I again forgot to 'Reply
to List' button :-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170726/7dd46aa7/attachment-0002.sig>


More information about the Oisf-users mailing list