11.9. Rule Profiling

Suricata can generate a rules performance report at the end of each session, if built with the enable-profiling option (see configuring Rule profiling). With that option, the engine will also generate profiling data for other engine modules, such as packet processing.

Rule profiling can also be enabled by building the engine with enable-profiling -rules and using the unix socket to dump the report (see Rules Profiling). This will enable profiling of rules' statistics only.

Once the report is generated, it is stored in the default log directory used by Suricata. If not changed, the filename will be rule_perf.log.

A Rules Profile report looks like this:

--------------------------------------------------------------------------
Date: 9/5/2013 -- 14:59:58
--------------------------------------------------------------------------
 Num      Rule         Gid      Rev      Ticks        %      Checks   Matches  Max Ticks   Avg Ticks   Avg Match   Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1        2210021      1        3        12037        4.96   1        1        12037       12037.00    12037.00    0.00
2        2210054      1        1        107479       44.26  12       0        35805       8956.58     0.00        8956.58
3        2210053      1        1        4513         1.86   1        0        4513        4513.00     0.00        4513.00
4        2210023      1        1        3077         1.27   1        0        3077        3077.00     0.00        3077.00
5        2210008      1        1        3028         1.25   1        0        3028        3028.00     0.00        3028.00
6        2210009      1        1        2945         1.21   1        0        2945        2945.00     0.00        2945.00
7        2210055      1        1        2945         1.21   1        0        2945        2945.00     0.00        2945.00
8        2210007      1        1        2871         1.18   1        0        2871        2871.00     0.00        2871.00
9        2210005      1        1        2871         1.18   1        0        2871        2871.00     0.00        2871.00
10       2210024      1        1        2846         1.17   1        0        2846        2846.00     0.00        2846.00

The meaning of the individual fields:

  • Ticks -- total ticks spent on this rule, so a sum of all inspections.

  • % -- share of this single signature in the total cost of inspection.

  • Checks -- number of times a signature was inspected.

  • Matches -- number of times it matched. This may not have resulted in an alert due to suppression and thresholding.

  • Max ticks -- single most expensive inspection.

  • Avg ticks -- per inspection average, so "ticks" / "checks".

  • Avg match -- avg ticks spent resulting in match.

  • Avg No Match -- avg ticks spent resulting in no match.

The "ticks" are CPU clock ticks: http://en.wikipedia.org/wiki/CPU_time