suricata如何进行性能分析
储志业
本节介绍一下suricata中提供的一些性能分析方法。
性能是suricata非常重要的一个方面,suricata提供了两种分析性能方法:1,静态的规则分析方法。2,动态的规则分析方法。
静态的规则分析方法
在影响suricata性能的因素这篇文章中介绍了性能关键字的建议写法和组合,其中的标准就是suricata本身提供的,即RUNMODE_ENGINE_ANALYSIS模式。将suricata的mode设置为RUNMODE_ENGINE_ANALYSIS,在函数SigLoadSignatures中
if (RunmodeGetCurrent() == RUNMODE_ENGINE_ANALYSIS) {
fp_engine_analysis_set = SetupFPAnalyzer();
rule_engine_analysis_set = SetupRuleAnalyzer();
}
这个位置判断当前的运行模式,若是分析规则模式,则会生成两个文件用于后续记录分析结果。一个是分析整个规则的记录,另外一个是分析fast pattern的记录。
真正执行文件分析的函数执行路径为ProcessSigFiles->DetectLoadSigFile,在DetectEngineAppendSig函数之后,每新增一个规则,则进行一次分析。EngineAnalysisFP函数对应fast pattern的分析,EngineAnalysisRules函数对应整条规则的分析,效果如下:
EngineAnalysisFP对应的示例:
-------------------------------------------------------------------
Date: 18/10/2020 -- 13:59:08
-------------------------------------------------------------------
== Sid: 100000001 ==
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Mediacast Password Dump Attempt Flowbit Set"; flow:to_server,established; content:"GET"; http_method; content:"authenticate_ad_setup_finished.cfm?UserID="; nocase; http_uri; content:"&ClearSession=1"; nocase; http_uri; flowbits:set,ETPRO.MediaCast.passwDump; flowbits:noalert; reference:cve,2010-0216; reference:url,www.packetninjas.net/storage/advisories/MediaCast-PWDump-FINAL.txt; classtype:attempted-recon; sid:100000001; rev:3; metadata:created_at 2011_04_26, updated_at 2020_04_20;)
Fast Pattern analysis:
Fast pattern matcher: http request uri (http_uri)
Flags: Nocase
Fast pattern set: no
Fast pattern only set: no
Fast pattern chop set: no
Original content: authenticate_ad_setup_finished.cfm?userid=
Final content: authenticate_ad_setup_finished.cfm?userid=
== Sid: 100000002 ==
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Mediacast Password Dump Attack Response"; flow:from_server,established; flowbits:isset,ETPRO.MediaCast.passwDump; content:"IsAdmin"; nocase; content:"IsGeneric"; nocase; distance:0; content:"IsInstructor"; nocase; distance:0; content:"IsManager"; nocase; distance:0; content:"IsTrainingManager"; nocase; distance:0; content:"OrganizationID"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"SetTopMode"; nocase; distance:0; content:"SystemID"; nocase; distance:0; content:"WebCT"; nocase; distance:0; content:"cfid"; nocase; distance:0; content:"cftoken"; nocase; distance:0; content:"email"; nocase; distance:0; content:"sessionid"; nocase; distance:0; content:"urltoken"; flowbits:unset,ETPRO.MediaCast.passwDump; reference:cve,2010-0216; reference:url,www.packetninjas.net/storage/advisories/MediaCast-PWDump-FINAL.txt; classtype:successful-recon-limited; sid:100000002; rev:7; metadata:created_at 2011_04_26, updated_at 2011_04_26;)
Fast Pattern analysis:
Fast pattern matcher: content
Flags: Distance Nocase
Fast pattern set: no
Fast pattern only set: no
Fast pattern chop set: no
Original content: istrainingmanager
Final content: istrainingmanager
可以看到此项的分析中列出了该条规则fast pattern所对应的content内容,对应的flags(包括是否区分大小写,是否有相对位置等关键字),fast pattern对应的buffer等等。由于fast pattern最将会是prefilter中内容的匹配部分,因此如果选中的fast patttern如果过弱,将会导致后续流程中需要匹配的规则数量过多。因此该分析可以让使用者,对于fast pattern的选择有一个整体的印象,决定是否要指定fast pattern。
EngineAnalysisRules对应的示例:
-------------------------------------------------------------------
Date: 18/10/2020 -- 13:59:08
-------------------------------------------------------------------
== Sid: 100000001 ==
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Mediacast Password Dump Attempt Flowbit Set"; flow:to_server,established; content:"GET"; http_method; content:"authenticate_ad_setup_finished.cfm?UserID="; nocase; http_uri; content:"&ClearSession=1"; nocase; http_uri; flowbits:set,ETPRO.MediaCast.passwDump; flowbits:noalert; reference:cve,2010-0216; reference:url,www.packetninjas.net/storage/advisories/MediaCast-PWDump-FINAL.txt; classtype:attempted-recon; sid:100000001; rev:3; metadata:created_at 2011_04_26, updated_at 2020_04_20;)
Rule matches on http uri buffer.
Rule matches on http method buffer.
App layer protocol is http.
Rule contains 0 content options, 3 http content options, 0 pcre options, and 0 pcre options with http modifiers.
Fast Pattern "authenticate_ad_setup_finished.cfm?userid=" on "http request uri (http_uri)" buffer.
No warnings for this rule.
== Sid: 100000002 ==
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Mediacast Password Dump Attack Response"; flow:from_server,established; flowbits:isset,ETPRO.MediaCast.passwDump; content:"IsAdmin"; nocase; content:"IsGeneric"; nocase; distance:0; content:"IsInstructor"; nocase; distance:0; content:"IsManager"; nocase; distance:0; content:"IsTrainingManager"; nocase; distance:0; content:"OrganizationID"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"SetTopMode"; nocase; distance:0; content:"SystemID"; nocase; distance:0; content:"WebCT"; nocase; distance:0; content:"cfid"; nocase; distance:0; content:"cftoken"; nocase; distance:0; content:"email"; nocase; distance:0; content:"sessionid"; nocase; distance:0; content:"urltoken"; flowbits:unset,ETPRO.MediaCast.passwDump; reference:cve,2010-0216; reference:url,www.packetninjas.net/storage/advisories/MediaCast-PWDump-FINAL.txt; classtype:successful-recon-limited; sid:100000002; rev:7; metadata:created_at 2011_04_26, updated_at 2011_04_26;)
Rule matches on reassembled stream.
App layer protocol is http.
Rule contains 15 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
Fast Pattern "istrainingmanager" on "reassembled stream" buffer.
Warning: Rule app layer protocol is http, but content options do not have http_* modifiers.
-Consider adding http content modifiers.
Warning: Rule app layer protocol is http, but the fast_pattern is set on the raw stream. Consider adding fast_pattern over a http buffer for increased performance.
可以看到该项分析中列出了规则更为丰富的信息,对于比较好的规则,一般给出的结论是No warnings for this rule。对于有问题的规则,会列出该项规则具体需要改进的地方,例如Warning: 。一般这里面的指标可以作为编写规则的指导,更多的内容参见EngineAnalysisRules函数或者我的上一篇文章《影响suricata性能的因素》。
动态的规则分析方法
除了静态的分析之外,suricata还提供了一个动态分析每一条规则耗时的功能,并为此提供了编译选项PROFILING。定义该编译宏,会将相应的功能代码编入可执行程序,对应的代码在PreRunInit函数中,如下:
void PreRunInit(const int runmode)
{
if (runmode == RUNMODE_UNIX_SOCKET)
return;
StatsInit();
#ifdef PROFILING
SCProfilingRulesGlobalInit();
SCProfilingKeywordsGlobalInit();
SCProfilingPrefilterGlobalInit();
SCProfilingSghsGlobalInit();
SCProfilingInit();
#endif /* PROFILING */
DatasetsInit();
DefragInit();
FlowInitConfig(FLOW_QUIET);
IPPairInitConfig(FLOW_QUIET);
StreamTcpInitConfig(STREAM_VERBOSE);
AppLayerParserPostStreamSetup();
AppLayerRegisterGlobalCounters();
}
以rule profiling为例,SCProfilingRulesGlobalInit函数中读取配置并设置profiling_rules_enabled。DetectRulePacketRules函数以及DetectRunTx是进行规则的匹配,记录的起始位置为RULE_PROFILING_START(p);,记录的结束位置是RULE_PROFILING_END(det_ctx, s, smatch, p);
选取一次Rule Profiling的输出前10条记录如下:
--------------------------------------------------------------------------
Date: 6/6/2020 -- 10:24:19. Sorted by: max ticks.
--------------------------------------------------------------------------
Num Rule Gid Rev Ticks % Checks Matches Max Ticks Avg Ticks Avg Match Avg No Match
-------- ------------ -------- -------- ------------ ------ -------- -------- ----------- ----------- ----------- --------------
1 2016918 1 7 292329 46.40 10 0 57054 29232.90 0.00 29232.90
2 2002994 1 7 41898 6.65 3 3 26166 13966.00 13966.00 0.00
3 2102649 1 3 20268 3.22 1 1 20268 20268.00 20268.00 0.00
4 2102003 1 9 19163 3.04 1 1 19163 19163.00 19163.00 0.00
5 2101979 1 6 17522 2.78 1 0 17522 17522.00 0.00 17522.00
6 2800000 1 5 90551 14.37 8 1 16870 11318.88 16870.00 10525.86
7 2017882 1 3 14895 2.36 1 0 14895 14895.00 0.00 14895.00
8 2102650 1 3 13736 2.18 1 0 13736 13736.00 0.00 13736.00
9 2016680 1 6 34047 5.40 3 0 12696 11349.00 0.00 11349.00
10 2002992 1 7 32773 5.20 4 4 9503 8193.25 8193.25 0.00
结果分析如下:
- 1,rule表示规则的sid。
- 2,Gid表示规则的group id,通常来说suricata中默认的Gid为1,除非在规则中进行设置。即使在规则中设置了Gid,对于识别也是没有影响的,可能有助于输出的统计。
- 3,Rev及规则中的rev字段,表示该条规则的版本信息。
- 4,Ticks表示的是suricata花费在该条规则上的检测检测总时间,可以理解为跑完一个pcap文件,所有数据包在某条规则上所消耗的检测时间总和,使用CPU的时钟进行统计。
- 5,%该条规则所消耗的时间占所有规则检测时间的百分比。
- 6,Checks表示该条规则在所有数据包进行检测的过程中,被检测了几次。
- 7,Matches表示该条规则检测并且命中的次数。
- 8,Max Ticks表示该条规则最耗时的一次检测消耗的时钟数。
- 9,Avg Ticks表示该条规则平均消耗的时钟数,计算方法为Ticks/Checks。
- 10,Avg Match 表示该条规则命中平均消耗的时钟数,计算方法为匹配的上的总时钟数/Matches
- 11,Avg No Match表示该条规则没有命中平均消耗的时钟数,计算方法为没有匹配的上的总时钟数/没有命中的次数
根据以上的数据可以简单的对规则进行判断,一个好的规则满足如下的条件:
1,Avg Ticks的值较小
2,为了是的性能比较稳定,Max Ticks应该尽可能的接近Avg Ticks
3,Checks和Matches应尽可能的接近,也就是说只要对于该条规则进行检测,其命中的概率要高。如果相差较大,需要考虑是否优化fast pattern的选定。
Rule Profiling针对的是每一条规则的统计,而keyword profiling针对的是规则中每一个关键字的统计,统计的内容和Rule Profiling差不多,实力如下:
--------------------------------------------------------------------------------------------------------------------------------
Date: 6/6/2020 -- 12:09:16
--------------------------------------------------------------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flags 41351 27 27 2176 1531.00 1531.00 0.00
flow 172567390 108466 108466 908451 1590.00 1590.00 0.00
threshold 716302 196 16 55928 3654.00 3881.00 3634.00
content 607206544 309454 202622 2642793 1962.00 2046.00 1801.00
pcre 149140639 65543 2121 650334 2275.00 3050.00 2249.00
byte_test 64096976 45899 21431 523733 1396.00 1489.00 1314.00
byte_jump 8183145 4693 465 583426 1743.00 1447.00 1776.00
isdataat 6170749 4605 42 380857 1340.00 1396.00 1339.00
flowbits 1010813 489 341 4343 2067.00 2319.00 1486.00
tls.fingerprint 547970320 423539 0 544085 1293.00 0.00 1293.00
urilen 12391829 6569 2557 1816927 1886.00 1625.00 2052.00
byte_extract 92702 43 43 2757 2155.00 2155.00 0.00
dce_iface 48427 36 0 1979 1345.00 0.00 1345.00
xbits 83196 28 0 3930 2971.00 0.00 2971.00
--------------------------------------------------------------------------------------------------------------------------------
针对关键字的统计是的我们能够从更小的粒度去观察哪一个关键字是比较优秀的关键字。而关键字的度量也跟规则是一样的,通过关键字的关键统计,可以从关键字的角度优化规则。
不仅如此,关键字的profiling还提供了更为精细的统计,包括针对数据包头部,数据包载荷部分,HTTP的URI,protocol等等,如下:
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
flags 11598 7 7 2832 1656.00 1656.00 0.00
flow 55784 32 32 4590 1743.00 1743.00 0.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: packet/stream payload
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 32484 13 10 4130 2498.00 2786.00 1541.00
pcre 148549 9 0 35495 16505.00 0.00 16505.00
isdataat 2619 2 1 1369 1309.00 1369.00 1250.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: threshold
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
threshold 33490 7 0 14232 4784.00 0.00 4784.00
--------------------------------------------------------------------------------------------------------------------------------
Stats for: http_uri
--------------------------------------------------------------------------------------------------------------------------------
Keyword Ticks Checks Matches Max Ticks Avg Avg Match Avg No Match
---------------- --------------- --------------- --------------- --------------- --------------- --------------- ---------------
content 28087 13 5 3563 2160.00 2565.00 1907.00
--------------------------------------------------------------------------------------------------------------------------------
对于prefilter的统计,示例如下:
--------------------------------------------------------------------------------------------------------------------------------
Date: 6/6/2020 -- 10:24:19
--------------------------------------------------------------------------------------------------------------------------------
Stats for: total
--------------------------------------------------------------------------------------------------------------------------------
Prefilter Ticks Called Max Ticks Avg
-------------------------------- --------------- --------------- --------------- ---------------
payload 3303743 1476 39328 2238.00
stream 3336949 1451 50633 2299.00
http_uri 492654 84 151947 5864.00
http_client_body 185799 63 19199 2949.00
http_header (request) 313699 70 18555 4481.00
http_header (request trailer) 68668 57 2088 1204.00
http_method 114693 84 5425 1365.00
http_cookie (request) 118137 70 4007 1687.00
http_raw_uri 157771 84 4100 1878.00
http_user_agent 207845 70 13475 2969.00
http_header (response) 12208 2 8376 6104.00
http_cookie (response) 3598 2 2170 1799.00
http_stat_code 5809 2 3109 2904.00
file_data 5314 4 1544 1328.00
- 1,Prefilter表示的是该条规则中被选中作为prefilter的匹配条件。可以看到相当多的是针对HTTP的匹配,主要是HTTP作为应用最为广泛的互联网协议,被攻击的场景最多,因此针对HTTP的规则也最多,针对于HTTP的攻击往往在头域中会出现一定的特征。
- 2,Ticks表示该项匹配条件所消耗的CPU时钟总数,和前面的规则Ticks类似。
- 3,Called表示改该项buffer被调用了多少次,前面的规则中的checks字段类似。
- 4,Max Ticks表示单次匹配消耗的最长时钟。
- 5,Avg表示该项匹配消耗的平均时钟。
对于prefilter来说,使用出现次数较少的字符串作为fast pattern有助于提高检测效率。因为当一个报文到达的时候,如果很多的规则的prefilter都是http_uri,则可能导致每条fast pattern都要去匹配对应的uri。如果prefilter比较分散,则匹配可以性能更加的稳定。
以上就是suricata中分析规则性能的好坏的一些方法,在实际的使用中多加使用,有助于优化规则,提升suricata的整体性能。
本文为CSDN村中少年原创文章,未经允许不得转载,博主链接这里。
类似资料: