docker-suricata icon indicating copy to clipboard operation
docker-suricata copied to clipboard
verified publisher icon jasonish

Rules profiling

Open regit opened this issue 1 month ago • 5 comments

Add rules profiling build option to regular build. It is deactivated by default and need to be activated via --set commands.

regit avatar Nov 21 '25 15:11 regit

conflict. I'm rebasing.

regit avatar Nov 21 '25 15:11 regit

conflict. I'm rebasing.

I can do it to.. You caught me in the middle of some cleanup.

jasonish avatar Nov 21 '25 21:11 jasonish

How much of a perf impact is expected if this option is built in but disabled at runtime?

victorjulien avatar Nov 23 '25 19:11 victorjulien

How much of a perf impact is expected if this option is built in but disabled at runtime?

I have a similar question. I wonder if we could run it with Suricata QA?

jasonish avatar Nov 24 '25 17:11 jasonish

How much of a perf impact is expected if this option is built in but disabled at runtime?

I have a similar question. I wonder if we could run it with Suricata QA?

We run built it on Stamus appliance and just activate it from time to time via unix socket (using also sampling). No real performance impact has been seen.

regit avatar Nov 26 '25 14:11 regit

Hello @jasonish, do you need something from me there ?

regit avatar Dec 15 '25 18:12 regit

Performance-wise, I think things are OK. With my own pcap-based testing, having rule profiling compiled in, but disabled, was not measurable.

However, compiling it also enabled it by default, which isn't ideal: https://github.com/OISF/suricata/blob/main-8.0.x/suricata.yaml.in#L1951

I could patch up the config as part of building the images, but I'd rather not. I wonder if this default should be changed in Suricata. I think it should, but should it be backported as well is the question I think..

jasonish avatar Dec 16 '25 03:12 jasonish

Performance-wise, I think things are OK. With my own pcap-based testing, having rule profiling compiled in, but disabled, was not measurable.

However, compiling it also enabled it by default, which isn't ideal: https://github.com/OISF/suricata/blob/main-8.0.x/suricata.yaml.in#L1951

I could patch up the config as part of building the images, but I'd rather not. I wonder if this default should be changed in Suricata. I think it should, but should it be backported as well is the question I think..

It is enabled but not active by default.

It will only start computing performance when triggered via unix-socket or if active is set to yes.

regit avatar Dec 17 '25 10:12 regit

Performance-wise, I think things are OK. With my own pcap-based testing, having rule profiling compiled in, but disabled, was not measurable. However, compiling it also enabled it by default, which isn't ideal: https://github.com/OISF/suricata/blob/main-8.0.x/suricata.yaml.in#L1951 I could patch up the config as part of building the images, but I'd rather not. I wonder if this default should be changed in Suricata. I think it should, but should it be backported as well is the question I think..

It is enabled but not active by default.

It will only start computing performance when triggered via unix-socket or if active is set to yes.

Yeah, I noticed that. Still not happy that it dumps the log file by default though.

jasonish avatar Dec 17 '25 16:12 jasonish