9.4. Rules Profiling

If Suricata is built with the --enable-profiling-rules then the ruleset profiling can be activated on demand from the unix socket and dumped from it.

To start profiling

suricatasc -c ruleset-profile-start

To stop profiling

suricatasc -c ruleset-profile-stop

To dump profiling

suricatasc -c ruleset-profile

A typical scenario to get rules performance would be

suricatasc -c ruleset-profile-start
sleep 30
suricatasc -c ruleset-profile-stop
suricatasc -c ruleset-profile

On busy systems, using the sampling capability to capture performance on a subset of packets can be obtained via the sample-rate variable in the profiling section in the suricata.yaml file.